---
layout: docs
page_title: Storing Enterprise License in Vault
description: >-
  Configuring the Consul Helm chart to use enterprise license stored in Vault.
---

# Storing the Enterprise License in Vault

To use an enterprise license stored in Vault, the steps will be similar to [Storing Gossip Encryption Key in Vault](/docs/k8s/installation/vault/gossip). You need to do the following:

1. Store an enterprise license key in Vault's KV2 secrets engine.
1. Create Vault Policies that allow read access to the key.
1. Create a Vault Kubernetes Auth Role that links policies from step 2 to the Kubernetes service accounts of the Consul servers and clients.

## Configuring Vault

First, store the license key in Vault:

```shell-session
$ vault kv put secret/consul/enterpriselicense key="<enterprise license>"
```

Next, you will need to create a policy that allows read access to this secret:


<CodeBlockConfig filename="enterpriselicense-policy.hcl">

```HCL
path "secret/data/consul/enterpriselicense" {
  capabilities = ["read"]
}
```

</CodeBlockConfig>

```shell-session
$ vault policy write enterpriselicense-policy enterpriselicense-policy.hcl
```

Prior to creating Vault auth roles for the Consul servers and clients, ensure that the Vault Kubernetes auth method is enabled as described in [Vault Kubernetes Auth Method](/docs/k8s/installation/vault#vault-kubernetes-auth-method).

Next, you will create Kubernetes auth roles for the Consul server and client:

```shell-session
$ vault write auth/kubernetes/role/consul-server \
    bound_service_account_names=<Consul server service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=enterpriselicense-policy \
    ttl=1h
```

```shell-session
$ vault write auth/kubernetes/role/consul-client \
    bound_service_account_names=<Consul client service account> \
    bound_service_account_namespaces=<Consul installation namespace> \
    policies=enterpriselicense-policy \
    ttl=1h
```

To find out the service account names of the Consul server and client,
you can run the following `helm template` commands with your Consul on Kubernetes values file:

- Generate Consul server service account name
  ```shell-session
  $ helm template --release-name ${RELEASE_NAME} -s templates/server-serviceaccount.yaml hashicorp/consul
  ```

- Generate Consul client service account name
  ```shell-session
  $ helm template --release-name ${RELEASE_NAME} -s templates/client-serviceaccount.yaml hashicorp/consul
  ```

## Deploying the Consul Helm chart

Now that you have configured Vault, you can configure the Consul Helm chart to
use the enterprise license key in Vault:

<CodeBlockConfig filename="values.yaml">

```yaml
global:
  secretsBackend:
    vault:
      enabled: true
      consulServerRole: consul-server
      consulClientRole: consul-client
  enterpriseLicense:
    secretName: secret/data/consul/enterpriselicense
    secretKey: key
```

</CodeBlockConfig>

Note that `global.enterpriseLicense.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`global.enterpriseLicense.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the enterprise license secret in Vault.