Vault vs Kong | What are the differences?

Overview

Vault

Stacks808

Followers802

Votes71

GitHub Stars33.4K

Forks4.5K

Kong

Stacks650

Followers1.5K

Votes139

GitHub Stars42.1K

Forks5.0K

Kong vs Vault: What are the differences?

What is Kong? Open Source Microservice & API Management Layer. Kong is a scalable, open source API Layer (also known as an API Gateway, or API Middleware). Kong controls layer 4 and 7 traffic and is extended through Plugins, which provide extra functionality and services beyond the core platform.

What is Vault? Secure, store, and tightly control access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

Kong can be classified as a tool in the "Microservices Tools" category, while Vault is grouped under "Secrets Management".

Some of the features offered by Kong are:

Logging: Log requests and responses to your system over TCP, UDP or to disk
OAuth2.0: Add easily an OAuth2.0 authentication to your APIs
Monitoring: Live monitoring provides key load and performance server metrics

On the other hand, Vault provides the following key features:

Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.

"Easy to maintain" is the top reason why over 28 developers like Kong, while over 11 developers mention "Secure" as the leading cause for choosing Vault.

Kong and Vault are both open source tools. It seems that Kong with 22.4K GitHub stars and 2.75K forks on GitHub has more adoption than Vault with 13.2K GitHub stars and 1.98K GitHub forks.

DigitalOcean, Redox Engine, and SoFi are some of the popular companies that use Vault, whereas Kong is used by Checkr, Policygenius, and Cuemby. Vault has a broader approval, being mentioned in 71 company stacks & 17 developers stacks; compared to Kong, which is listed in 50 company stacks and 14 developer stacks.

🔥 Trending in Secrets Management on StackShare

Okta Personal Secrets Management

The Okta you know and love for work, but now in your personal life

Try it View Docs Alternatives

Try

0

Advice on Vault, Kong

Prateek

Mar 14, 2020

Decided

Istio based on powerful Envoy whereas Kong based on Nginx. Istio is K8S native as well it's actively developed when k8s was successfully accepted with production-ready apps whereas Kong slowly migrated to start leveraging K8s. Istio has an inbuilt turn-keyIstio based on powerful Envoy whereas Kong based on Nginx. Istio is K8S native as well it's actively developed when k8s was successfully accepted with production-ready apps whereas Kong slowly migrated to start leveraging K8s. Istio has an inbuilt turn key solution with Rancher whereas Kong completely lacks here. Traffic distribution in Istio can be done via canary, a/b, shadowing, HTTP headers, ACL, whitelist whereas in Kong it's limited to canary, ACL, blue-green, proxy caching. Istio has amazing community support which is visible via Github stars or releases when comparing both.

321k views321k

Comments

Detailed Comparison

Vault	Kong
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.	Kong is a scalable, open source API Layer (also known as an API Gateway, or API Middleware). Kong controls layer 4 and 7 traffic and is extended through Plugins, which provide extra functionality and services beyond the core platform.
Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.;Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.;Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.;Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.;Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.	Logging: Log requests and responses to your system over TCP, UDP or to disk; OAuth2.0: Add easily an OAuth2.0 authentication to your APIs; Monitoring: Live monitoring provides key load and performance server metrics; IP-restriction: Whitelist or blacklist IPs that can make requests; Authentication: Manage consumer credentials query string and header tokens; Rate-limiting: Block and throttle requests based on IP or authentication; Transformations: Add, remove or manipulate HTTP params and headers on-the-fly; CORS: Enable cross-origin requests to your APIs that would otherwise be blocked; Anything: Need custom functionality? Extend Kong with your own Lua plugins;
Statistics
GitHub Stars 33.4K	GitHub Stars 42.1K
GitHub Forks 4.5K	GitHub Forks 5.0K
Stacks 808	Stacks 650
Followers 802	Followers 1.5K
Votes 71	Votes 139
Pros & Cons
Pros 17 Secure 13 Variety of Secret Backends 11 Very easy to set up and use 8 Dynamic secret generation 5 AuditLog	Pros 37 Easy to maintain 32 Easy to install 26 Flexible 21 Great performance 7 Api blueprint
Integrations
No integrations available	Cassandra Docker Prometheus Kubernetes PostgreSQL NGINX Vagrant

What are some alternatives to Vault, Kong?

Amazon API Gateway

Amazon API Gateway handles all the tasks involved in accepting and processing up to hundreds of thousands of concurrent API calls, including traffic management, authorization and access control, monitoring, and API version management.

Tyk Cloud

Tyk is a leading Open Source API Gateway and Management Platform, featuring an API gateway, analytics, developer portal and dashboard. We power billions of transactions for thousands of innovative organisations.

Doppler

Doppler’s developer-first security platform empowers teams to seamlessly manage, orchestrate, and govern secrets at scale.

IBM SKLM

It centralizes, simplifies and automates the encryption key management process to help minimize risk and reduce operational costs of encryption key management. It offers secure, robust key storage, key serving and key lifecycle management for IBM and non-IBM storage solutions using the OASIS Key Management Interoperability Protocol (KMIP).

Docker Secrets

A container native solution that strengthens the Trusted Delivery component of container security by integrating secret distribution directly into the container platform.

Moesif

Build a winning API platform with instant, meaningful visibility into API usage and customer adoption

AWS Secrets Manager

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

EnvKey

Securely store config and manage access in an end-to-end encrypted, auto-syncing desktop app. Connect your apps in minutes in any language with an environment variable and a line or two of code.

Ambassador

Map services to arbitrary URLs in a single, declarative YAML file. Configure routes with CORS support, circuit breakers, timeouts, and more. Replace your Kubernetes ingress controller. Route gRPC, WebSockets, or HTTP.

Knox-app

Knox is a SaaS (Secrets as a Service) that helps you manage your keys, secrets, and configurations. Start in minutes and close the widest security breach. You cannot keep storing secrets in your git repo or sharing them by email or slack me