How Kong Gateway 3.14 closes the consistency gap in IAM-based authentication across AWS, Azure and GCP — and what it means for your production deployments
Enterprise security teams have clear requirements: no static credentials, no exceptions. Every service-to-service connection, whether it's Kong talking to databases, caches, or vaults, should authenticate using the same IAM-based identity model that governs the rest of their cloud infrastructure. This is true regardless of which cloud provider they are on. Kong delivers exactly that.
Over time, we’ve been laying the groundwork with targeted integrations, and with Kong API Gateway 3.13 and 3.14, that work reached its natural conclusion: a unified approach to cloud-native authentication across every component Kong connects to, such as Postgres, Redis, and HashiCorp Vault. And on all three major cloud providers — AWS, Azure, and GCP. No more per-integration decisions. No more falling back to static credentials because cloud-native auth wasn't available for that specific pairing. One consistent security posture, everywhere.
Starting with 3.13 (which addressed Redis support) and completed in 3.14, Kong now presents a unified approach to cloud-native authentication across every component it connects to — databases, caches, and secrets managers alike.
**The strategic principle is straightforward**: any component Kong connects to should be configurable using that cloud's native identity system — no access keys, no static credentials, no secrets baked into configuration files.
The 3.14 example described in this blog is Kong authenticating to HashiCorp Vault using AWS IAM roles. With this approach, there are zero static secrets involved. Here's how the architecture works and exactly what you need to configure.
The setup involves two EC2 instances: one running Kong Gateway, one running HashiCorp Vault. Each gets its own IAM role. The key insight is that **Kong is not configured with access or secret keys and never presents a password to Vault**. Instead, it presents a signed AWS API request that Vault independently verifies with AWS STS.
*In this example, we’re using VaultRole as the role used for Hashicorp’s AWS IAM auth, as well as Hashicorp EC2 instance’s profile IAM role for simplicity. In practice, these two roles do not need to be the same one.*
Trust:ec2.amazonaws.com: This policy allows the AWS EC2 service to assume the IAM role. It is required to attach the role to an EC2 instance, enabling applications running on that VM to automatically retrieve and use temporary AWS credentials. If your role does not require binding to a specific EC2 instance, it can skip this policy.
Permission:sts:AssumeRole: This permission allows the current identity (e.g., KongRole) to request temporary credentials for a different target role (e.g., VaultRole). It is required to initiate the "identity switch" and perform a cross-role handshake.
Permission:iam:getRole: This permission allows the active role to retrieve metadata and the internal ID of a specific IAM role from AWS. It is required for HashiCorp Vault to verify the existence and details of the Role ARN you are trying to bind.
The critical trust relationship is on VaultRole: it must explicitly trust KongRole as a principal allowed to assume it. Without this, even if Kong has sts:AssumeRole permission, the STS call will be denied at the trust boundary.
VaultRole \- trust-policy.json
{
"Version": "2026-3-27",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
// Allows Kong to assume this role for Vault login
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:role/KongRole"
},
"Action": "sts:AssumeRole"
}
]
}
prepare-vault.sh
# Enable AWS auth method on Vault
vault auth enable aws
# Configure the client — no access key needed with instance profiles
vault write auth/aws/config/client region=us-east-1
# Create a Vault role bound to the VaultRole ARN
# (Kong presents this ARN after assuming the role)
vault write auth/aws/role/kong-role \
auth_type=iam \
bound_iam_principal_arn="arn:aws:iam::<ACCOUNT_ID>:role/VaultRole" \
policies=kong-policy \
ttl=1h
# Create the access policy
vault policy write kong-policy - <<EOF
path "kv/data/kong/*" {
capabilities = ["read"]
}
EOF
# Store a secret
vault secrets enable -path=kv kv-v2
vault kv put kv/kong/db-password value="supersecret"
kong-vault-config.yaml
vaults:
- prefix: my-vault
name: hcv
config:
auth_method: aws_iam # Use IAM, not token/approle
assume_role_arn: "arn:aws:iam::<ACCOUNT_ID>:role/VaultRole"
aws_region: us-east-1
auth_role: kong-role # Vault role name to authenticate against
host: <vault-private-ip>
port: 8200
kv: v2
💡Pro Tip AWS supports two Vault auth methods: IAM (role-based, shown here) and EC2 (instance identity document). The IAM method is recommended for production. It works across services, not just EC2.
The shift from static credentials to IAM role-based authentication isn't just a security upgrade. It changes your operational posture in meaningful ways.
If you're running Kong on AWS today and connecting to HashiCorp Vault with an AppRole token or a hardcoded access key, 3.14 gives you a clean migration path to eliminate those static credentials entirely.
Start with Kong Gateway 3.14 by [signing up for Kong Konnect](https://konghq.com/products/kong-konnect/register)signing up for Kong Konnect for free. Or, if you want to try Kong Gateway Enterprise 3.14, you can explore the options for getting started [here](https://konghq.com/install)here.
To explore the comprehensive list of features, fixes, and updates, please see the available CHANGELOG for Kong Gateway Enterprise [here](https://docs.konghq.com/gateway/changelog/)here
Traditional APIs are, in a word, predictable. You know what you're getting: Compute costs that don't surprise you Traffic patterns that behave themselves Clean, well-defined request and response cycles AI APIs, especially anything that runs on LLMs
[](https://konghq.com/blog/engineering/monetize-ai-apis)
Imagine you have a single Service, order-api . You want to apply a strict rate limit to most traffic, but you want to bypass that limit—or apply a different one—if the request contains a specific X-App-Priority: High header. Previously, you had t
[](https://konghq.com/blog/engineering/conditional-policy-execution)
How OAuth 2.0 Token Exchange Reshapes Trust Between Services — and Why the API Gateway Is Exactly the Right Place to Enforce It Modern applications don’t run as a single monolithic. They are composed of services — frontend APIs, backend microservi
[](https://konghq.com/blog/engineering/token-exchange-at-the-gateway)
Running Kong in front of your Solace Broker adds real benefits: Authentication & Access Control – protect your broker from unauthorized publishers. Validation & Transformation – enforce schemas, sanitize data, and map REST calls into event topics.
[](https://konghq.com/blog/engineering/smarter-event-driven-apis-kong-solace)
Today we're excited to announce Kong Gateway 3.9! Since unveiling Kong Gateway 3.8 at API Summit 2024 just a few months ago, we’ve been busy making important updates and improvements to Kong Gateway. This release introduces new functionality arou
[](https://konghq.com/blog/product-releases/kong-gateway-3-9)
Managing gateway configurations at scale is harder than it looks. When a plugin needs to apply to most routes, but not all, teams could either duplicate configuration across routes and violate DRY (“Don’t Repeat Yourself”) principles, or write custo
[](https://konghq.com/blog/product-releases/kong-gateway-3-14)
Free collaboration with Postman — a myth On March 1st, 2026, Postman discontinued free collaboration for small teams. Now , Git or Cloud-native collaboration requires a Team plan starting at $19 per person per month. That means even a 3-person team
[](https://konghq.com/blog/enterprise/insomnia-vs-postman-evaluating-api-testing-tools)