How to automatically generate API key?


First, I have experience with configuring Kong using PostgreSQL database.

I’m now learning about Kong Ingress Controller (KIC) on Kubernetes, I’ve got Kong deployed on my cluster, services and routes configured, key-auth plugin added, it’s all working - so far so good.

Although this Provisioning Consumers and Credentials - v2.8.x | Kong Docs explains how to configure the key-auth plugin for KIC, it creates API key from a dummy literal stored in Kubernetes secret:

kubectl create secret generic kotenok-key-auth \
  --from-literal=kongCredType=key-auth  \

This is all clear and good for learning, but I assume this is not how it’s done at larger scale or in production, is it? What is the proper way to manage API keys at scale?

The Key Authentication plugin | Kong Docs makes this recommendation:


Does this apply to DB-only installation of Kong or does it also apply to DB-less and Kong Ingress Controller?

Is there any way to request KIC to automatically generate API key and perhaps even store it in Kubernetes secret?

@mloskot - There is an auto generated option in Kong Manager for Consumer credentials,

May be for KIC, its meant to be using some external providers. Hope this helps.

1 Like

@JohnWilliams Yes, running Kong with traditional mode (i.e. with database) does indeed support auto-generating of API keys, and it works fine with Kong Manager as well as curl-ed requests to the Admin API. Although it is useful for testing and learning Kong, it does not answer my need for KIC.

As you suggested, I currently use Kubernetes secrets importing API keys managed and stored in external vault, but I’m interested in what are best practices used in production.

I am also curious if the CRDs can just create some random string and store in kubernetes secret.
For now, we are using Terraform to create random string and store on AWS secret manager, and we use externalSecret operator to move the secret from AWS to kubernetes.

@chi_ding As you see, my question received no informative responses.

I used to use Terraform to generate values for secrets stored in Azure Key Vault and read by Kubernetes, but I have switched to use for all the purposes:

I hope it helps.