Get Started with Secrets Management

The following example uses the most basic form of secrets management: storing secrets in environment variables. In this example, you will replace a plaintext password to your PostgreSQL database with a reference to an environment variable.

You can also store secrets in a secure vault backend. For a list of supported vault backend implementations, see the .

In this example we’ll replace our plaintext password to our PostgreSQL database with a reference. To do so, define your environment variable and assign a secret value to it.

Define your environment variable and assign a secret value to it:

In this case, the reference would look like this:

Where:

• env is the name of the backend , since we’re storing the secret in a ENV variable.
• my-secret-postgres-password corresponds to the environment variable that you just defined.

Note that the reference is wrapped in curly braces.

Using the reference

You can specify configuration options using environment variables or by directly updating the configuration file.

Environment variable

Configuration file

The file contains the property pg_password. Replace the original value with the following, adjusting my-secret-postgres-password to your own password object name:

Upon startup, Kong Gateway tries to detect and transparently resolve references.

See the documentation for more information on the configuration options for each vault backend.