open-vault/website/source/docs/secrets/consul/index.html.md

---
layout: "docs"
page_title: "Secret Backend: Consul"
sidebar_current: "docs-secrets-consul"
description: |-
  The Consul secret backend for Vault generates tokens for Consul dynamically.
---

# Consul Secret Backend

Name: `consul`

The Consul secret backend for Vault generates
[Consul](https://www.consul.io)
API tokens dynamically based on Consul ACL policies.

This page will show a quick start for this backend. For detailed documentation
on every path, use `vault path-help` after mounting the backend.

## Quick Start

The first step to using the consul backend is to mount it.
Unlike the `generic` backend, the `consul` backend is not mounted by default.

```
$ vault mount consul
Successfully mounted 'consul' at 'consul'!
```

[Acquire a management token from
Consul](https://www.consul.io/docs/agent/http/acl.html#acl_create), using the
`acl_master_token` from your Consul configuration file or any other management
token:

```shell
$ curl \
    -H "X-Consul-Token: secret" \
    -X PUT \
    -d '{"Name": "sample", "Type": "management"}' \
    http://127.0.0.1:8500/v1/acl/create
```
```javascript
{
  "ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e"
}
```

Next, we must configure Vault to know how to contact Consul.
This is done by writing the access information:

```
$ vault write consul/config/access \
    address=127.0.0.1:8500 \
    token=adf4238a-882b-9ddc-4a9d-5b6758e4159e
Success! Data written to: consul/config/access
```

In this case, we've configured Vault to connect to Consul
on the default port with the loopback address. We've also provided
an ACL token to use with the `token` parameter. Vault must have a management
type token so that it can create and revoke ACL tokens.

The next step is to configure a role. A role is a logical name that maps
to a role used to generated those credentials. For example, lets create
a "readonly" role:

```
POLICY='key "" { policy = "read" }'
$ echo $POLICY | base64 | vault write consul/roles/readonly policy=-
Success! Data written to: consul/roles/readonly
```

The backend expects the policy to be base64 encoded, so we need to encode it
properly before writing. The policy language is [documented by
Consul](https://www.consul.io/docs/internals/acl.html), but we've defined a
read-only policy.

To generate a new set Consul ACL token, we simply read from that role:

```
$ vault read consul/creds/readonly
Key           	Value
lease_id      	consul/creds/readonly/c7a3bd77-e9af-cfc4-9cba-377f0ef10e6c
lease_duration	3600
token         	973a31ea-1ec4-c2de-0f63-623f477c2510
```

Here we can see that Vault has generated a new Consul ACL token for us.
We can test this token out, and verify that it is read-only:

```
$ curl 127.0.0.1:8500/v1/kv/foo?token=973a31ea-1ec4-c2de-0f63-623f477c25100
[{"CreateIndex":12,"ModifyIndex":53,"LockIndex":4,"Key":"foo","Flags":3304740253564472344,"Value":"YmF6"}]

$ curl -X PUT -d 'test' 127.0.0.1:8500/v1/kv/foo?token=973a31ea-1ec4-c2de-0f63-623f477c2510
Permission denied
```

## API

### /consul/config/access
#### POST

<dl class="api">
  <dt>Description</dt>
  <dd>
    Configures the access information for Consul.
    This is a root protected endpoint.
  </dd>

  <dt>Method</dt>
  <dd>POST</dd>

  <dt>URL</dt>
  <dd>`/consul/config/access`</dd>

  <dt>Parameters</dt>
  <dd>
    <ul>
      <li>
        <span class="param">address</span>
        <span class="param-flags">required</span>
        The address of the Consul instance, provided as host:port
      </li>
      <li>
        <span class="param">scheme</span>
        <span class="param-flags">optional</span>
        The URL scheme to use. Defaults to HTTP, as Consul does not expose HTTPS by default.
      </li>
      <li>
        <span class="param">token</span>
        <span class="param-flags">required</span>
        The Consul ACL token to use. Must be a management type token.
      </li>
    </ul>
  </dd>

  <dt>Returns</dt>
  <dd>
    A `204` response code.
  </dd>
</dl>

### /consul/roles/
#### POST

<dl class="api">
  <dt>Description</dt>
  <dd>
    Creates or updates the Consul role definition.
  </dd>

  <dt>Method</dt>
  <dd>POST</dd>

  <dt>URL</dt>
  <dd>`/consul/roles/<name>`</dd>

  <dt>Parameters</dt>
  <dd>
    <ul>
      <li>
        <span class="param">policy</span>
        <span class="param-flags">required</span>
        The base64 encoded Consul ACL policy. This is documented in [more
        detail here](https://www.consul.io/docs/internals/acl.html). Required
        unless the `token_type` is `management`.
      </li>
      <li>
        <span class="param">token_type</span>
        <span class="param-flags">optional</span>
        The type of token to create using this role: `client` or `management`.
        If `management`, the `policy` parameter is not required.
      </li>
      <li>
        <span class="param">lease</span>
        <span class="param-flags">optional</span>
        The lease value provided as a string duration with time suffix. Hour is
        the largest suffix.
      </li>
    </ul>
  </dd>

  <dt>Returns</dt>
  <dd>
    A `204` response code.
  </dd>
</dl>

#### GET

<dl class="api">
  <dt>Description</dt>
  <dd>
    Queries a Consul role definition.
  </dd>

  <dt>Method</dt>
  <dd>GET</dd>

  <dt>URL</dt>
  <dd>`/consul/roles/<name>`</dd>

  <dt>Parameters</dt>
  <dd>
     None
  </dd>

  <dt>Returns</dt>
  <dd>

    ```javascript
    {
      "data": {
        "policy": "abcdef="
      }
    }
    ```

  </dd>
</dl>

#### Delete

<dl class="api">
  <dt>Description</dt>
  <dd>
    Deletes a Consul role definition.
  </dd>

  <dt>Method</dt>
  <dd>DELETE</dd>

  <dt>URL</dt>
  <dd>`/consul/roles/<name>`</dd>

  <dt>Parameters</dt>
  <dd>
     None
  </dd>

  <dt>Returns</dt>
  <dd>
    A `204` response code.
  </dd>
</dl>

### /consul/creds/
#### GET

<dl class="api">
  <dt>Description</dt>
  <dd>
    Generates a dynamic Consul token based on the role definition.
  </dd>

  <dt>Method</dt>
  <dd>GET</dd>

  <dt>URL</dt>
  <dd>`/consul/creds/<name>`</dd>

  <dt>Parameters</dt>
  <dd>
     None
  </dd>

  <dt>Returns</dt>
  <dd>

    ```javascript
    {
      "data": {
        "token": "973a31ea-1ec4-c2de-0f63-623f477c2510"
      }
    }
    ```

  </dd>
</dl>
website: consul secret backend 2015-04-11 03:26:01 +00:00			`---`
			`layout: "docs"`
			`page_title: "Secret Backend: Consul"`
			`sidebar_current: "docs-secrets-consul"`
			`description: \|-`
			`The Consul secret backend for Vault generates tokens for Consul dynamically.`
			`---`

			`# Consul Secret Backend`

			Name: `consul`

			`The Consul secret backend for Vault generates`
Use HTTPS + www where appropriate 2016-01-14 18:42:47 +00:00			`[Consul](https://www.consul.io)`
website: consul secret backend 2015-04-11 03:26:01 +00:00			`API tokens dynamically based on Consul ACL policies.`

			`This page will show a quick start for this backend. For detailed documentation`
website: fixing lots of references to vault help 2015-07-13 10:12:09 +00:00			on every path, use `vault path-help` after mounting the backend.
website: consul secret backend 2015-04-11 03:26:01 +00:00
			`## Quick Start`

msyql to consul on consul backend docs 2015-04-28 18:11:42 +00:00			`The first step to using the consul backend is to mount it.`
website: consul quickstart 2015-04-27 03:17:55 +00:00			Unlike the `generic` backend, the `consul` backend is not mounted by default.

			```
			`$ vault mount consul`
			`Successfully mounted 'consul' at 'consul'!`
			```

Some copyediting/simplifying of the Consul page 2015-12-18 15:07:40 +00:00			`[Acquire a management token from`
Use HTTPS + www where appropriate 2016-01-14 18:42:47 +00:00			`Consul](https://www.consul.io/docs/agent/http/acl.html#acl_create), using the`
Some copyediting/simplifying of the Consul page 2015-12-18 15:07:40 +00:00			`acl_master_token` from your Consul configuration file or any other management
			`token:`
Update secret backend Consul documentation Adds information on the steps to get a management token for use by Vault when communicating with Consul as a secret backend. 2015-12-18 14:44:31 +00:00
			```shell
			`$ curl \`
			`-H "X-Consul-Token: secret" \`
			`-X PUT \`
			`-d '{"Name": "sample", "Type": "management"}' \`
			`http://127.0.0.1:8500/v1/acl/create`
			```
			```javascript
			`{`
			`"ID": "adf4238a-882b-9ddc-4a9d-5b6758e4159e"`
			`}`
			```

website: consul quickstart 2015-04-27 03:17:55 +00:00			`Next, we must configure Vault to know how to contact Consul.`
			`This is done by writing the access information:`

			```
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`$ vault write consul/config/access \`
			`address=127.0.0.1:8500 \`
Update secret backend Consul documentation Adds information on the steps to get a management token for use by Vault when communicating with Consul as a secret backend. 2015-12-18 14:44:31 +00:00			`token=adf4238a-882b-9ddc-4a9d-5b6758e4159e`
website: consul quickstart 2015-04-27 03:17:55 +00:00			`Success! Data written to: consul/config/access`
			```

			`In this case, we've configured Vault to connect to Consul`
			`on the default port with the loopback address. We've also provided`
			an ACL token to use with the `token` parameter. Vault must have a management
			`type token so that it can create and revoke ACL tokens.`

			`The next step is to configure a role. A role is a logical name that maps`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`to a role used to generated those credentials. For example, lets create`
website: consul quickstart 2015-04-27 03:17:55 +00:00			`a "readonly" role:`

			```
			`POLICY='key "" { policy = "read" }'`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`$ echo $POLICY \| base64 \| vault write consul/roles/readonly policy=-`
			`Success! Data written to: consul/roles/readonly`
website: consul quickstart 2015-04-27 03:17:55 +00:00			```

Some copyediting/simplifying of the Consul page 2015-12-18 15:07:40 +00:00			`The backend expects the policy to be base64 encoded, so we need to encode it`
			`properly before writing. The policy language is [documented by`
Use HTTPS + www where appropriate 2016-01-14 18:42:47 +00:00			`Consul](https://www.consul.io/docs/internals/acl.html), but we've defined a`
Some copyediting/simplifying of the Consul page 2015-12-18 15:07:40 +00:00			`read-only policy.`
website: consul quickstart 2015-04-27 03:17:55 +00:00
			`To generate a new set Consul ACL token, we simply read from that role:`

			```
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`$ vault read consul/creds/readonly`
website: consul quickstart 2015-04-27 03:17:55 +00:00			`Key Value`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`lease_id consul/creds/readonly/c7a3bd77-e9af-cfc4-9cba-377f0ef10e6c`
website: consul quickstart 2015-04-27 03:17:55 +00:00			`lease_duration 3600`
			`token 973a31ea-1ec4-c2de-0f63-623f477c2510`
			```

			`Here we can see that Vault has generated a new Consul ACL token for us.`
			`We can test this token out, and verify that it is read-only:`

			```
			`$ curl 127.0.0.1:8500/v1/kv/foo?token=973a31ea-1ec4-c2de-0f63-623f477c25100`
			`[{"CreateIndex":12,"ModifyIndex":53,"LockIndex":4,"Key":"foo","Flags":3304740253564472344,"Value":"YmF6"}]`

			`$ curl -X PUT -d 'test' 127.0.0.1:8500/v1/kv/foo?token=973a31ea-1ec4-c2de-0f63-623f477c2510`
			`Permission denied`
			```

website: document Consul APIs 2015-04-27 18:08:47 +00:00			`## API`
website: start consul api 2015-04-27 05:02:32 +00:00
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`### /consul/config/access`
			`#### POST`

			`<dl class="api">`
website: start consul api 2015-04-27 05:02:32 +00:00			`<dt>Description</dt>`
			`<dd>`
			`Configures the access information for Consul.`
			`This is a root protected endpoint.`
			`</dd>`

			`<dt>Method</dt>`
			`<dd>POST</dd>`

			`<dt>URL</dt>`
			<dd>`/consul/config/access`</dd>

			`<dt>Parameters</dt>`
			`<dd>`
			`<ul>`
			`<li>`
			`<span class="param">address</span>`
			`<span class="param-flags">required</span>`
			`The address of the Consul instance, provided as host:port`
			`</li>`
			`<li>`
			`<span class="param">scheme</span>`
			`<span class="param-flags">optional</span>`
			`The URL scheme to use. Defaults to HTTP, as Consul does not expose HTTPS by default.`
			`</li>`
			`<li>`
			`<span class="param">token</span>`
			`<span class="param-flags">required</span>`
			`The Consul ACL token to use. Must be a management type token.`
			`</li>`
			`</ul>`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`
			A `204` response code.
			`</dd>`
			`</dl>`

secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`### /consul/roles/`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`#### POST`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`Creates or updates the Consul role definition.`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`</dd>`

			`<dt>Method</dt>`
			`<dd>POST</dd>`

			`<dt>URL</dt>`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			<dd>`/consul/roles/<name>`</dd>
website: document Consul APIs 2015-04-27 18:08:47 +00:00
			`<dt>Parameters</dt>`
			`<dd>`
			`<ul>`
			`<li>`
			`<span class="param">policy</span>`
			`<span class="param-flags">required</span>`
Update documentation with Consul backend `token_type` parameter. Fixes #854 2015-12-15 01:54:13 +00:00			`The base64 encoded Consul ACL policy. This is documented in [more`
Use HTTPS + www where appropriate 2016-01-14 18:42:47 +00:00			`detail here](https://www.consul.io/docs/internals/acl.html). Required`
Update documentation with Consul backend `token_type` parameter. Fixes #854 2015-12-15 01:54:13 +00:00			unless the `token_type` is `management`.
			`</li>`
			`<li>`
			`<span class="param">token_type</span>`
			`<span class="param-flags">optional</span>`
			The type of token to create using this role: `client` or `management`.
			If `management`, the `policy` parameter is not required.
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`</li>`
website: Update /consul/roles/ parameters 2015-05-26 23:54:15 +00:00			`<li>`
			`<span class="param">lease</span>`
			`<span class="param-flags">optional</span>`
Update documentation with Consul backend `token_type` parameter. Fixes #854 2015-12-15 01:54:13 +00:00			`The lease value provided as a string duration with time suffix. Hour is`
			`the largest suffix.`
website: Update /consul/roles/ parameters 2015-05-26 23:54:15 +00:00			`</li>`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`</ul>`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`
			A `204` response code.
			`</dd>`
			`</dl>`

			`#### GET`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
Do not root protect role configurations 2015-04-27 21:07:20 +00:00			`Queries a Consul role definition.`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`</dd>`

			`<dt>Method</dt>`
			`<dd>GET</dd>`

			`<dt>URL</dt>`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			<dd>`/consul/roles/<name>`</dd>
website: document Consul APIs 2015-04-27 18:08:47 +00:00
			`<dt>Parameters</dt>`
			`<dd>`
			`None`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`

			```javascript
			`{`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"data": {`
			`"policy": "abcdef="`
			`}`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`}`
			```

			`</dd>`
			`</dl>`

			`#### Delete`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
Do not root protect role configurations 2015-04-27 21:07:20 +00:00			`Deletes a Consul role definition.`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`</dd>`

			`<dt>Method</dt>`
			`<dd>DELETE</dd>`

			`<dt>URL</dt>`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			<dd>`/consul/roles/<name>`</dd>
website: document Consul APIs 2015-04-27 18:08:47 +00:00
			`<dt>Parameters</dt>`
			`<dd>`
			`None`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`
			A `204` response code.
			`</dd>`
			`</dl>`

secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`### /consul/creds/`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`#### GET`

			`<dl class="api">`
			`<dt>Description</dt>`
			`<dd>`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			`Generates a dynamic Consul token based on the role definition.`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`</dd>`

			`<dt>Method</dt>`
			`<dd>GET</dd>`

			`<dt>URL</dt>`
secret/consul: replace policy with roles, and prefix the token path 2015-04-27 20:59:56 +00:00			<dd>`/consul/creds/<name>`</dd>
website: document Consul APIs 2015-04-27 18:08:47 +00:00
			`<dt>Parameters</dt>`
			`<dd>`
			`None`
			`</dd>`

			`<dt>Returns</dt>`
			`<dd>`

			```javascript
			`{`
Remove tabs from terminal output This also standardizes on the indentation we use for multi-line commands as well as prefixes all commands with a $ to indicate a shell. 2015-10-12 16:10:22 +00:00			`"data": {`
			`"token": "973a31ea-1ec4-c2de-0f63-623f477c2510"`
			`}`
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`}`
			```

			`</dd>`
			`</dl>`