Kong · cloudjumpercat · Sep 9, 2024 · Aug 16, 2024 · Sep 9, 2024
@@ -38,6 +38,7 @@ Before you enable the AWS IAM authentication, you must configure your AWS RDS da
    > **Warning:** You **can't** change the value of the environment variables you used to provide the AWS credential after booting {{site.base_gateway}}. Any changes are ignored.
 {% if_version gte:3.8.x %}
    - If you want to assume a role, make sure the original IAM role that Kong uses has the correct permission to assume the role of the target IAM role, and the target IAM role has the correct permission to connect to the database using IAM authentication.
+   - If you have users with non-public VPC networks and private VPC endpoints (without private DNS names enabled), you can configure an AWS Service Token Service (STS) endpoint globally with `vault_aws_sts_endpoint_url` or on a custom AWS Vault entity with `sts_endpoint_url`.
 {% endif_version %}
 
 - **Assign an IAM policy to the {{site.base_gateway}} IAM role**. For more information, see [Creating and using an IAM policy for IAM database access](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.IAMDBAuth.IAMPolicy.html) in the Amazon RDS documentation.
@@ -83,9 +84,19 @@ If you want to [assume a role](https://docs.aws.amazon.com/STS/latest/APIReferen
 KONG_PG_IAM_AUTH_ASSUME_ROLE_ARN=<role_arn>
 KONG_PG_IAM_AUTH_ROLE_SESSION_NAME=<role_session_name>
 
+# Optional, specify the custom STS endpoint URL used for the IAM assume role
+# This value will override the default STS endpoint URL, which should be
+# `https://sts.amazonaws.com`, or `https://sts.<region>.amazonaws.com` if
+# `AWS_STS_REGIONAL_ENDPOINTS` is set to `regional`(by default).
+# If you are not using a private VPC endpoint for STS service, you should
+# not specify this value
+KONG_PG_IAM_AUTH_STS_ENDPOINT_URL=https://your.endpoint.to.aws.sts.service.amazonaws.com
+
 # For read-only connections, if you need a different role than for read-write
 KONG_PG_RO_IAM_AUTH_ASSUME_ROLE_ARN=<role_arn>
 KONG_PG_RO_IAM_AUTH_ROLE_SESSION_NAME=<role_session_name>
+# Optional, same as KONG_PG_IAM_AUTH_STS_ENDPOINT_URL
+KONG_PG_RO_IAM_AUTH_STS_ENDPOINT_URL=https://your.endpoint.to.aws.sts.service.amazonaws.com
 ```
 
 {% endif_version %}
@@ -113,10 +124,19 @@ If you want to [assume a role](https://docs.aws.amazon.com/STS/latest/APIReferen
 # For read-write connections
 pg_iam_auth_assume_role_arn=<role_arn>
 pg_iam_auth_role_session_name=<role_session_name>
+# Optional, specify the custom STS endpoint URL used for the IAM assume role
+# This value will override the default STS endpoint URL, which should be
+# `https://sts.amazonaws.com`, or `https://sts.<region>.amazonaws.com` if
+# `AWS_STS_REGIONAL_ENDPOINTS` is set to `regional`(by default).
+# If you are not using a private VPC endpoint for STS service, you should
+# not specify this value
+pg_iam_auth_sts_endpoint_url=https://your.endpoint.to.aws.sts.service.amazonaws.com
 
 # For read-only connections, if you need a different role than for read-write
 pg_ro_iam_auth_assume_role_arn=<role_arn>
 pg_ro_iam_auth_role_session_name=<role_session_name>
+# Optional, same as `pg_iam_auth_sts_endpoint_url`
+pg_ro_iam_auth_sts_endpoint_url=https://your.endpoint.to.aws.sts.service.amazonaws.com
 ```
 
 {% endif_version %}

@@ -196,6 +196,10 @@ Parameter | Field name                     | Description
 `vaults.config.role_session_name` | **Role Session Name** | The role session name used for role assuming. The default value is `KongVault`.
 {% endif_version -%}
 
+{% if_version gte:3.8.x -%}
+`vaults.config.sts_endpoint_url` | **AWS STS Endpoint URL** | The custom STS endpoint URL used for the IAM assume role in AWS Vault. You can specify a complete URL, including the `http/https` scheme. This value will override the default STS endpoint URL, which should be `https://sts.amazonaws.com`, or `https://sts.<region>.amazonaws.com` if `AWS_STS_REGIONAL_ENDPOINTS` is set to `regional`(by default). If you are not using a private VPC endpoint for STS service, you should not specify this value.
+{% endif_version -%}
+
 `vaults.config.ttl` | **TTL** | Time-to-live (in seconds) of a secret from the vault when it's cached. The special value of 0 means "no rotation" and it's the default. When using non-zero values, it is recommended that they're at least 1 minute.
 `vaults.config.neg_ttl` | **Negative TTL** | Time-to-live (in seconds) of a vault miss (no secret). Negatively cached secrets will remain valid until `neg_ttl` is reached, after which Kong will attempt to refresh the secret again. The default value for `neg_ttl` is 0, meaning no negative caching occurs.
 `vaults.config.resurrect_ttl` | **Resurrect TTL** | Time (in seconds) for how long secrets will remain in use after they are expired ( using `config.ttl` as the stopping point). This is useful when a vault becomes unreachable, or when a secret is deleted from the vault and isn't replaced immediately. In both cases, gateway will keep trying to refresh the secret for `resurrect_ttl` seconds. After that, it will stop trying to refresh. Assigning a sufficiently high value to this configuration option is recommended to ensure a seamless transition in case there are unexpected issues with the vault. The default value for `resurrect_ttl` is 1^e8 seconds, which is about 3 years.