Consul
Create a token for Vault with Consul storage backend
This topic describes how to create a token for Vault’s Consul storage backend.
Introduction
If you are using Vault to manage secrets in your infrastructure, you can configure Vault to use Consul's key/value (KV) store as backend storage to persist Vault's data. Refer to the Consul KV documentation and the Vault storage documentation for additional information.
Requirements
Core ACL functionality is available in all versions of Consul.
The Vault Consul storage backend must present a token linked to policies that grant the following permissions:
agent:read
: Provides KV visibility to all agentskey:write
: Enables writing to the KV storeservice:write
: Enables the Vault service to register into the catalogsession:write
: Enables the agent to initialize a new session
Authentication
You must provide an ACL token linked to a policy with acl:write
permissions to create and modify ACL tokens and policies using the CLI or API.
You can provide the token manually using the -token
option on the command line, but we recommend setting the CONSUL_HTTP_TOKEN
environment variable to simplify your workflow:
$ export CONSUL_HTTP_TOKEN=<acl-token-secret-id>
The Consul CLI automatically reads the CONSUL_HTTP_TOKEN
environment variable so that you do not have to pass the token to every Consul CLI command.
To authenticate calls to the Consul HTTP API, you must provide the token in the X-Consul-Token
header for each call:
$ curl --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" ...
To learn about alternative ways to authenticate, refer to the following documentation:
Create a token linked to a policy
To create a token for Vault’s Consul storage backend, you must define a policy, register the policy with Consul, and link the policy to a token.
Define a policy
You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to ACL Rules for details about all of the rules you can use in your policies.
The following example policy is defined in a file. The policy grants the appropriate permissions to enable Vault to register as a service named vault
and provides access to the vault/
path in Consul's KV store.
agent_prefix "" {
policy = "read"
}
key_prefix "vault/" {
policy = "write"
}
service "vault" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
Register the policy with Consul
After defining the policy, you can register the policy with Consul using the command line or API endpoint.
Run the consul acl policy create
command and specify the policy rules to create a policy. Refer to Consul ACL Policy Create for details about the consul acl policy create
command.
The following example registers a policy defined in vault-storage-backend.hcl
.
$ consul acl policy create -partition "default" -namespace "default" \
-name vault-storage-backend -rules @vault-storage-backend.hcl \
-description "Policy for the Vault Consul storage backend"
Link the policy to a token
After registering the policy into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an auth method.
Run the consul acl token create
command and specify the policy name or ID to create a token linked to the policy. Refer to Consul ACL Token Create for details about the consul acl token create
command.
The following command creates the ACL token linked to the policy vault-storage-backend
.
$ consul acl token create \
-description "Token for the Vault Consul storage backend" \
-policy-name "vault-storage-backend"