Vault Authentication

Add authentication to a Gateway Service or Route with an access token and a secret token. Credential tokens are stored securely via Vault.

The credential lifecycle can be managed through the Admin API, or independently via Vault.

When reading a token from Vault, Kong Gateway will search the KV value for the presence of a ttl field. When this field is present, Kong Gateway will respect the advisory value of the ttl field and store the value of the credential in the cache for only as long as the ttl field defines. This allows Kong Gateway to periodically refresh tokens created directly in Vault, outside of the Admin API.

Kong Gateway can read access/secret token pairs that were created directly in Vault, outside of the Kong Gateway Admin API. Vault KV secret values must contain the following fields:

{
 access_token: {your-string}
 secret_token: {your-string}
 created_at: {your-date-integer}
 updated_at: {your-date-integer}
 ttl: {your-integer} # optional
 consumer: {
 id: {consumer-uuid}
 }
}

Additional fields within the secret are ignored. The key must be the access_token value; this is the identifier by which Kong Gateway queries the Vault API to fetch the credential data.

See the Vault documentation for version 1 or version 2 for more information on the KV secrets engine.

vault-auth token pairs can be created with the Vault HTTP API or the vault write command:

vault write kong-auth/foo - <<EOF
{
 "access_token": "foo",
 "secret_token": "supersecretvalue",
 "consumer": {
 "id": "ce67c25e-2168-4a09-81e5-e06187a2384f"
 },
 "ttl": 86400
}
EOF