Exclude authentication from one route of a service


I have a service with a key-auth attached on the service level, however I’d like to exclude a route from requiring authentication. Is that possible to exclude one route from authentication from a service while keeping the auth plugin enabled on the service level or do I need to turn to route based authentication?

/api/service [key-auth]
/api/service/{*} [key-auth]
/api/service/openurl [no-auth]

kong v1.1.0
kong-ingress-controller v0.3.0



If a plugin is applied to a service, it will run for all routes of the service, but if there’s another key-auth plugin attached to the route, only the most specific plugin will run (in this case, the one attached to the route)

It’s a bit hacky, but you could configure key-auth on that route only with an anonymous consumer. Check config.anonymous on key-auth plugin



Thank you very much for putting me on the right track for this, I managed to do this by issuing

curl -i -X PATCH \
--url http://kong:8001/plugins/77b29ca5-4092-499e-ba96-04983ccd877d \
--data "config.anonymous=c97b40c3-56cf-11e9-8ba9-026db3b4995a"

How ever I’m using kong-ingress-controller and I’m unsure how to link the key-auth plugin to the consumer using the kubernetes manifests, the following does not work, and I suspect I’d be able to somehow link to the consumer without using the uuid in the kubernetes manifest

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
  name: wallet-openapi-key-auth
  namespace: default 
plugin: key-auth
   anonymous: c97b40c3-56cf-11e9-8ba9-026db3b4995a


update: I managed to get the kubernetes manifest working as displayed a bow how ever using UUIDs in the manifest is not Ideal



@davideagle Indeed, please open a Github Issue for this, thank you!