2017-03-08 02:47:23 +00:00
|
|
|
|
---
|
|
|
|
|
layout: "docs"
|
|
|
|
|
page_title: "Consul - Storage Backends - Configuration"
|
New Docs Website (#5535)
* conversion stage 1
* correct image paths
* add sidebar title to frontmatter
* docs/concepts and docs/internals
* configuration docs and multi-level nav corrections
* commands docs, index file corrections, small item nav correction
* secrets converted
* auth
* add enterprise and agent docs
* add extra dividers
* secret section, wip
* correct sidebar nav title in front matter for apu section, start working on api items
* auth and backend, a couple directory structure fixes
* remove old docs
* intro side nav converted
* reset sidebar styles, add hashi-global-styles
* basic styling for nav sidebar
* folder collapse functionality
* patch up border length on last list item
* wip restructure for content component
* taking middleman hacking to the extreme, but its working
* small css fix
* add new mega nav
* fix a small mistake from the rebase
* fix a content resolution issue with middleman
* title a couple missing docs pages
* update deps, remove temporary markup
* community page
* footer to layout, community page css adjustments
* wip downloads page
* deps updated, downloads page ready
* fix community page
* homepage progress
* add components, adjust spacing
* docs and api landing pages
* a bunch of fixes, add docs and api landing pages
* update deps, add deploy scripts
* add readme note
* update deploy command
* overview page, index title
* Update doc fields
Note this still requires the link fields to be populated -- this is solely related to copy on the description fields
* Update api_basic_categories.yml
Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages.
* Add bottom hero, adjust CSS, responsive friendly
* Add mega nav title
* homepage adjustments, asset boosts
* small fixes
* docs page styling fixes
* meganav title
* some category link corrections
* Update API categories page
updated to reflect the second level headings for api categories
* Update docs_detailed_categories.yml
Updated to represent the existing docs structure
* Update docs_detailed_categories.yml
* docs page data fix, extra operator page remove
* api data fix
* fix makefile
* update deps, add product subnav to docs and api landing pages
* Rearrange non-hands-on guides to _docs_
Since there is no place for these on learn.hashicorp, we'll put them
under _docs_.
* WIP Redirects for guides to docs
* content and component updates
* font weight hotfix, redirects
* fix guides and intro sidenavs
* fix some redirects
* small style tweaks
* Redirects to learn and internally to docs
* Remove redirect to `/vault`
* Remove `.html` from destination on redirects
* fix incorrect index redirect
* final touchups
* address feedback from michell for makefile and product downloads
2018-10-19 15:40:11 +00:00
|
|
|
|
sidebar_title: "Consul"
|
2017-03-08 02:47:23 +00:00
|
|
|
|
sidebar_current: "docs-configuration-storage-consul"
|
|
|
|
|
description: |-
|
|
|
|
|
The Consul storage backend is used to persist Vault's data in Consul's
|
|
|
|
|
key-value store. In addition to providing durable storage, inclusion of this
|
|
|
|
|
backend will also register Vault as a service in Consul with a default health
|
|
|
|
|
check.
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
# Consul Storage Backend
|
|
|
|
|
|
|
|
|
|
The Consul storage backend is used to persist Vault's data in [Consul's][consul]
|
|
|
|
|
key-value store. In addition to providing durable storage, inclusion of this
|
|
|
|
|
backend will also register Vault as a service in Consul with a default health
|
|
|
|
|
check.
|
|
|
|
|
|
|
|
|
|
- **High Availability** – the Consul storage backend supports high availability.
|
|
|
|
|
|
|
|
|
|
- **HashiCorp Supported** – the Consul storage backend is officially supported
|
|
|
|
|
by HashiCorp.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
address = "127.0.0.1:8500"
|
2019-02-13 00:07:44 +00:00
|
|
|
|
path = "vault"
|
2017-03-08 02:47:23 +00:00
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Once properly configured, an unsealed Vault installation should be available and
|
|
|
|
|
accessible at:
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
active.vault.service.consul
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Unsealed Vault instances in standby mode are available at:
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
standby.vault.service.consul
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
All unsealed Vault instances are available as healthy at:
|
|
|
|
|
|
|
|
|
|
```text
|
|
|
|
|
vault.service.consul
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Sealed Vault instances will mark themselves as unhealthy to avoid being returned
|
|
|
|
|
at Consul's service discovery layer.
|
|
|
|
|
|
2018-07-06 12:51:51 +00:00
|
|
|
|
Note that if you have configured multiple listeners for Vault, you must specify
|
|
|
|
|
which one Consul should advertise to the cluster using [`api_addr`][api-addr]
|
|
|
|
|
and [`cluster_addr`][cluster-addr] ([example][listener-example]).
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
|
|
|
|
## `consul` Parameters
|
|
|
|
|
|
|
|
|
|
- `address` `(string: "127.0.0.1:8500")` – Specifies the address of the Consul
|
|
|
|
|
agent to communicate with. This can be an IP address, DNS record, or unix
|
|
|
|
|
socket. It is recommended that you communicate with a local Consul agent; do
|
|
|
|
|
not communicate directly with a server.
|
|
|
|
|
|
|
|
|
|
- `check_timeout` `(string: "5s")` – Specifies the check interval used to send
|
|
|
|
|
health check information back to Consul. This is specified using a label
|
|
|
|
|
suffix like `"30s"` or `"1h"`.
|
|
|
|
|
|
|
|
|
|
- `consistency_mode` `(string: "default")` – Specifies the Consul
|
|
|
|
|
[consistency mode][consul-consistency]. Possible values are `"default"` or
|
|
|
|
|
`"strong"`.
|
|
|
|
|
|
2017-12-26 18:48:45 +00:00
|
|
|
|
- `disable_registration` `(string: "false")` – Specifies whether Vault should
|
2017-03-08 02:47:23 +00:00
|
|
|
|
register itself with Consul.
|
|
|
|
|
|
2017-03-26 18:32:26 +00:00
|
|
|
|
- `max_parallel` `(string: "128")` – Specifies the maximum number of concurrent
|
2017-03-08 02:47:23 +00:00
|
|
|
|
requests to Consul.
|
|
|
|
|
|
|
|
|
|
- `path` `(string: "vault/")` – Specifies the path in Consul's key-value store
|
|
|
|
|
where Vault data will be stored.
|
|
|
|
|
|
|
|
|
|
- `scheme` `(string: "http")` – Specifies the scheme to use when communicating
|
|
|
|
|
with Consul. This can be set to "http" or "https". It is highly recommended
|
|
|
|
|
you communicate with Consul over https over non-local connections. When
|
|
|
|
|
communicating over a unix socket, this option is ignored.
|
|
|
|
|
|
|
|
|
|
- `service` `(string: "vault")` – Specifies the name of the service to register
|
|
|
|
|
in Consul.
|
|
|
|
|
|
|
|
|
|
- `service_tags` `(string: "")` – Specifies a comma-separated list of tags to
|
|
|
|
|
attach to the service registration in Consul.
|
|
|
|
|
|
2018-02-23 16:15:29 +00:00
|
|
|
|
- `service_address` `(string: nil)` – Specifies a service-specific address to
|
|
|
|
|
set on the service registration in Consul. If unset, Vault will use what it
|
|
|
|
|
knows to be the HA redirect address - which is usually desirable. Setting
|
|
|
|
|
this parameter to `""` will tell Consul to leverage the configuration of the
|
|
|
|
|
node the service is registered on dynamically. This could be beneficial if
|
|
|
|
|
you intend to leverage Consul's
|
2018-02-26 18:28:11 +00:00
|
|
|
|
[`translate_wan_addrs`][consul-translate-wan-addrs] parameter.
|
2018-02-23 16:15:29 +00:00
|
|
|
|
|
2017-03-08 02:47:23 +00:00
|
|
|
|
- `token` `(string: "")` – Specifies the [Consul ACL token][consul-acl] with
|
|
|
|
|
permission to read and write from the `path` in Consul's key-value store.
|
2020-01-03 09:48:03 +00:00
|
|
|
|
This is **not** a Vault token. This can also be provided via the environment
|
|
|
|
|
variable [`CONSUL_HTTP_TOKEN`][consul-token]. See the ACL section below for help.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2018-04-18 17:09:55 +00:00
|
|
|
|
- `session_ttl` `(string: "15s")` - Specifies the minimum allowed [session
|
|
|
|
|
TTL][consul-session-ttl]. Consul server has a lower limit of 10s on the
|
|
|
|
|
session TTL by default. The value of `session_ttl` here cannot be lesser than
|
|
|
|
|
10s unless the `session_ttl_min` on the consul server's configuration has a
|
|
|
|
|
lesser value.
|
|
|
|
|
|
|
|
|
|
- `lock_wait_time` `(string: "15s")` - Specifies the wait time before a lock
|
2019-05-03 22:21:58 +00:00
|
|
|
|
acquisition is made. This affects the minimum time it takes to cancel a
|
2018-04-18 17:09:55 +00:00
|
|
|
|
lock acquisition.
|
|
|
|
|
|
2017-03-08 02:47:23 +00:00
|
|
|
|
The following settings apply when communicating with Consul via an encrypted
|
|
|
|
|
connection. You can read more about encrypting Consul connections on the
|
|
|
|
|
[Consul encryption page][consul-encryption].
|
|
|
|
|
|
|
|
|
|
- `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate used
|
|
|
|
|
for Consul communication. This defaults to system bundle if not specified.
|
|
|
|
|
This should be set according to the
|
|
|
|
|
[`ca_file`](https://www.consul.io/docs/agent/options.html#ca_file) setting in
|
|
|
|
|
Consul.
|
|
|
|
|
|
|
|
|
|
- `tls_cert_file` `(string: "")` (optional) – Specifies the path to the
|
|
|
|
|
certificate for Consul communication. This should be set according to the
|
|
|
|
|
[`cert_file`](https://www.consul.io/docs/agent/options.html#cert_file) setting
|
|
|
|
|
in Consul.
|
|
|
|
|
|
|
|
|
|
- `tls_key_file` `(string: "")` – Specifies the path to the private key for
|
|
|
|
|
Consul communication. This should be set according to the
|
|
|
|
|
[`key_file`](https://www.consul.io/docs/agent/options.html#key_file) setting
|
|
|
|
|
in Consul.
|
|
|
|
|
|
|
|
|
|
- `tls_min_version` `(string: "tls12")` – Specifies the minimum TLS version to
|
|
|
|
|
use. Accepted values are `"tls10"`, `"tls11"` or `"tls12"`.
|
|
|
|
|
|
2019-05-06 21:02:36 +00:00
|
|
|
|
- `tls_skip_verify` `(string: "false")` – Disable verification of TLS certificates.
|
2019-04-01 23:14:12 +00:00
|
|
|
|
Using this option is highly discouraged.
|
2017-03-08 02:47:23 +00:00
|
|
|
|
|
2017-06-19 23:39:52 +00:00
|
|
|
|
## ACLs
|
|
|
|
|
|
|
|
|
|
If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8,
|
|
|
|
|
the following will work for most use-cases, assuming that your service name is
|
|
|
|
|
`vault` and the prefix being used is `vault/`:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"key": {
|
|
|
|
|
"vault/": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"node": {
|
|
|
|
|
"": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"service": {
|
|
|
|
|
"vault": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"agent": {
|
|
|
|
|
"": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
},
|
|
|
|
|
"session": {
|
|
|
|
|
"": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2018-12-13 22:18:23 +00:00
|
|
|
|
For Consul 1.4+, the following example takes into account the changed ACL
|
|
|
|
|
language:
|
|
|
|
|
|
|
|
|
|
```json
|
|
|
|
|
{
|
|
|
|
|
"key_prefix": {
|
|
|
|
|
"vault/": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"node_prefix": {
|
|
|
|
|
"": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"service": {
|
|
|
|
|
"vault": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
},
|
|
|
|
|
"agent_prefix": {
|
|
|
|
|
"": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
},
|
|
|
|
|
"session_prefix": {
|
|
|
|
|
"": {
|
|
|
|
|
"policy": "write"
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
2017-03-08 02:47:23 +00:00
|
|
|
|
## `consul` Examples
|
|
|
|
|
|
|
|
|
|
### Local Agent
|
|
|
|
|
|
|
|
|
|
This example shows a sample physical backend configuration which communicates
|
|
|
|
|
with a local Consul agent running on `127.0.0.1:8500`.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {}
|
2017-03-08 02:47:23 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Detailed Customization
|
|
|
|
|
|
|
|
|
|
This example shows communicating with Consul on a custom address with an ACL
|
|
|
|
|
token.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
address = "10.5.7.92:8194"
|
|
|
|
|
token = "abcd1234"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Custom Storage Path
|
|
|
|
|
|
|
|
|
|
This example shows storing data at a custom path in Consul's key-value store.
|
|
|
|
|
This path must be readable and writable by the Consul ACL token, if Consul
|
|
|
|
|
configured to use ACLs.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
path = "vault/"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Consul via Unix Socket
|
|
|
|
|
|
|
|
|
|
This example shows communicating with Consul over a local unix socket.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
address = "unix:///tmp/.consul.http.sock"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Custom TLS
|
|
|
|
|
|
|
|
|
|
This example shows using a custom CA, certificate, and key file to securely
|
|
|
|
|
communicate with Consul over TLS.
|
|
|
|
|
|
|
|
|
|
```hcl
|
2017-03-08 14:17:00 +00:00
|
|
|
|
storage "consul" {
|
2017-03-08 02:47:23 +00:00
|
|
|
|
scheme = "https"
|
|
|
|
|
tls_ca_file = "/etc/pem/vault.ca"
|
|
|
|
|
tls_cert_file = "/etc/pem/vault.cert"
|
|
|
|
|
tls_key_file = "/etc/pem/vault.key"
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
[consul]: https://www.consul.io/ "Consul by HashiCorp"
|
2017-04-28 11:48:23 +00:00
|
|
|
|
[consul-acl]: https://www.consul.io/docs/guides/acl.html "Consul ACLs"
|
|
|
|
|
[consul-consistency]: https://www.consul.io/api/index.html#consistency-modes "Consul Consistency Modes"
|
2017-03-08 02:47:23 +00:00
|
|
|
|
[consul-encryption]: https://www.consul.io/docs/agent/encryption.html "Consul Encryption"
|
2018-02-23 16:15:29 +00:00
|
|
|
|
[consul-translate-wan-addrs]: https://www.consul.io/docs/agent/options.html#translate_wan_addrs "Consul Configuration"
|
2020-01-03 09:48:03 +00:00
|
|
|
|
[consul-token]: https://www.consul.io/docs/commands/acl/set-agent-token.html#token-lt-value-gt- "Consul Token"
|
2018-04-18 17:09:55 +00:00
|
|
|
|
[consul-session-ttl]: https://www.consul.io/docs/agent/options.html#session_ttl_min "Consul Configuration"
|
2018-07-06 12:51:51 +00:00
|
|
|
|
[api-addr]: /docs/configuration/index.html#api_addr
|
|
|
|
|
[cluster-addr]: /docs/configuration/index.html#cluster_addr
|
|
|
|
|
[listener-example]: /docs/configuration/listener/tcp.html#listening-on-multiple-interfaces
|