open-vault/website/source/docs/secrets/consul/index.html.md

---
layout: "docs"
page_title: "Consul - Secrets Engines"
sidebar_title: "Consul"
sidebar_current: "docs-secrets-consul"
description: |-
  The Consul secrets engine for Vault generates tokens for Consul dynamically.
---

# Consul Secrets Engine

The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
dynamically based on Consul ACL policies.

## Setup

Most secrets engines must be configured in advance before they can perform their
functions. These steps are usually completed by an operator or configuration
management tool.

1. Enable the Consul secrets engine:

    ```text
    $ vault secrets enable consul
    Success! Enabled the consul secrets engine at: consul/
    ```

    By default, the secrets engine will mount at the name of the engine. To
    enable the secrets engine at a different path, use the `-path` argument.

2. In Consul versions below 1.4, acquire a [management token][consul-mgmt-token] from Consul, using the
`acl_master_token` from your Consul configuration file or another management
token:

    ```sh
    $ curl \
        --header "X-Consul-Token: my-management-token" \
        --request PUT \
        --data '{"Name": "sample", "Type": "management"}' \
        https://consul.rocks/v1/acl/create
    ```

    Vault must have a management type token so that it can create and revoke ACL
    tokens. The response will return a new token:

    ```json
    {
      "ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"
    }
    ```
For Consul 1.4 and above, use the command line to generate a token with the appropriate policy:

   ```sh
   $ CONSUL_HTTP_TOKEN=d54fe46a-1f57-a589-3583-6b78e334b03b consul acl token create -policy-name=global-management
   AccessorID:   865dc5e9-e585-3180-7b49-4ddc0fc45135
   SecretID:     ef35f0f1-885b-0cab-573c-7c91b65a7a7e
   Description:
   Local:        false
   Create Time:  2018-10-22 17:40:24.128188 -0700 PDT
   Policies:
       00000000-0000-0000-0000-000000000001 - global-management
   ```

3. Configure Vault to connect and authenticate to Consul:

    ```text
    $ vault write consul/config/access \
        address=127.0.0.1:8500 \
        token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4
    Success! Data written to: consul/config/access
    ```

4. Configure a role that maps a name in Vault to a Consul ACL policy. Depending on your Consul version, 
you will either provide a policy document and a token_type, or a set of policies.
When users generate credentials, they are generated against this role. For Consul versions below 1.4:

    ```text
    $ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')
    Success! Data written to: consul/roles/my-role
    ```
The policy must be base64-encoded. The policy language is [documented by Consul](https://www.consul.io/docs/internals/acl.html).

For Consul versions 1.4 and above, [generate a policy in Consul](https://www.consul.io/docs/guides/acl.html), and proceed to link it to the role:

    ```text
    $ vault write consul/roles/my-role policies=readonly
    Success! Data written to: consul/roles/my-role
    ```

## Usage

After the secrets engine is configured and a user/machine has a Vault token with
the proper permission, it can generate credentials.

Generate a new credential by reading from the `/creds` endpoint with the name
of the role:

```text
$ vault read consul/creds/my-role
Key                Value
---                -----
lease_id           consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8
lease_duration     768h
lease_renewable    true
token              642783bf-1540-526f-d4de-fe1ac1aed6f0
```

When using Consul 1.4, the response will include the accessor for the token

```text
$ vault read consul/creds/my-role
Key                Value
---                -----
lease_id           consul/creds/my-role/7miMPnYaBCaVWDS9clNE0Nv3
lease_duration     768h
lease_renewable    true
accessor           6d5a0348-dffe-e87b-4266-2bec03800abb
token              bc7a42c0-9c59-23b4-8a09-7173c474dc42
```
## API

The Consul secrets engine has a full HTTP API. Please see the
[Consul secrets engine API](/api/secret/consul/index.html) for more
details.

[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create
website: consul secret backend 2015-04-11 03:26:01 +00:00			`---`
			`layout: "docs"`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`page_title: "Consul - Secrets Engines"`
New Docs Website (#5535) * conversion stage 1 * correct image paths * add sidebar title to frontmatter * docs/concepts and docs/internals * configuration docs and multi-level nav corrections * commands docs, index file corrections, small item nav correction * secrets converted * auth * add enterprise and agent docs * add extra dividers * secret section, wip * correct sidebar nav title in front matter for apu section, start working on api items * auth and backend, a couple directory structure fixes * remove old docs * intro side nav converted * reset sidebar styles, add hashi-global-styles * basic styling for nav sidebar * folder collapse functionality * patch up border length on last list item * wip restructure for content component * taking middleman hacking to the extreme, but its working * small css fix * add new mega nav * fix a small mistake from the rebase * fix a content resolution issue with middleman * title a couple missing docs pages * update deps, remove temporary markup * community page * footer to layout, community page css adjustments * wip downloads page * deps updated, downloads page ready * fix community page * homepage progress * add components, adjust spacing * docs and api landing pages * a bunch of fixes, add docs and api landing pages * update deps, add deploy scripts * add readme note * update deploy command * overview page, index title * Update doc fields Note this still requires the link fields to be populated -- this is solely related to copy on the description fields * Update api_basic_categories.yml Updated API category descriptions. Like the document descriptions you'll still need to update the link headers to the proper target pages. * Add bottom hero, adjust CSS, responsive friendly * Add mega nav title * homepage adjustments, asset boosts * small fixes * docs page styling fixes * meganav title * some category link corrections * Update API categories page updated to reflect the second level headings for api categories * Update docs_detailed_categories.yml Updated to represent the existing docs structure * Update docs_detailed_categories.yml * docs page data fix, extra operator page remove * api data fix * fix makefile * update deps, add product subnav to docs and api landing pages * Rearrange non-hands-on guides to _docs_ Since there is no place for these on learn.hashicorp, we'll put them under _docs_. * WIP Redirects for guides to docs * content and component updates * font weight hotfix, redirects * fix guides and intro sidenavs * fix some redirects * small style tweaks * Redirects to learn and internally to docs * Remove redirect to `/vault` * Remove `.html` from destination on redirects * fix incorrect index redirect * final touchups * address feedback from michell for makefile and product downloads 2018-10-19 15:40:11 +00:00			`sidebar_title: "Consul"`
website: consul secret backend 2015-04-11 03:26:01 +00:00			`sidebar_current: "docs-secrets-consul"`
			`description: \|-`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Consul secrets engine for Vault generates tokens for Consul dynamically.`
website: consul secret backend 2015-04-11 03:26:01 +00:00			`---`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`# Consul Secrets Engine`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Consul secrets engine generates [Consul](https://www.consul.io) API tokens`
			`dynamically based on Consul ACL policies.`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`## Setup`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`Most secrets engines must be configured in advance before they can perform their`
			`functions. These steps are usually completed by an operator or configuration`
			`management tool.`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`1. Enable the Consul secrets engine:`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```text
			`$ vault secrets enable consul`
			`Success! Enabled the consul secrets engine at: consul/`
			```
website: consul quickstart 2015-04-27 03:17:55 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`By default, the secrets engine will mount at the name of the engine. To`
			enable the secrets engine at a different path, use the `-path` argument.
website: consul quickstart 2015-04-27 03:17:55 +00:00
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`2. In Consul versions below 1.4, acquire a [management token][consul-mgmt-token] from Consul, using the`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`acl_master_token` from your Consul configuration file or another management
Some copyediting/simplifying of the Consul page 2015-12-18 15:07:40 +00:00			`token:`
Update secret backend Consul documentation Adds information on the steps to get a management token for use by Vault when communicating with Consul as a secret backend. 2015-12-18 14:44:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```sh
			`$ curl \`
			`--header "X-Consul-Token: my-management-token" \`
			`--request PUT \`
			`--data '{"Name": "sample", "Type": "management"}' \`
			`https://consul.rocks/v1/acl/create`
			```

			`Vault must have a management type token so that it can create and revoke ACL`
			`tokens. The response will return a new token:`

			```json
			`{`
			`"ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"`
			`}`
			```
docs: fixed typo (#6721) Fixed typo: appropiate/appropriate 2019-05-13 11:50:29 +00:00			`For Consul 1.4 and above, use the command line to generate a token with the appropriate policy:`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			```sh
			`$ CONSUL_HTTP_TOKEN=d54fe46a-1f57-a589-3583-6b78e334b03b consul acl token create -policy-name=global-management`
			`AccessorID: 865dc5e9-e585-3180-7b49-4ddc0fc45135`
			`SecretID: ef35f0f1-885b-0cab-573c-7c91b65a7a7e`
			`Description:`
			`Local: false`
			`Create Time: 2018-10-22 17:40:24.128188 -0700 PDT`
			`Policies:`
			`00000000-0000-0000-0000-000000000001 - global-management`
			```

			`3. Configure Vault to connect and authenticate to Consul:`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
			```text
			`$ vault write consul/config/access \`
			`address=127.0.0.1:8500 \`
			`token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4`
			`Success! Data written to: consul/config/access`
			```

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`4. Configure a role that maps a name in Vault to a Consul ACL policy. Depending on your Consul version,`
			`you will either provide a policy document and a token_type, or a set of policies.`
			`When users generate credentials, they are generated against this role. For Consul versions below 1.4:`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
			```text
			`$ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')`
			`Success! Data written to: consul/roles/my-role`
			```
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`The policy must be base64-encoded. The policy language is [documented by Consul](https://www.consul.io/docs/internals/acl.html).`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
Update index.html.md (#7660) 2019-10-15 15:48:17 +00:00			`For Consul versions 1.4 and above, [generate a policy in Consul](https://www.consul.io/docs/guides/acl.html), and proceed to link it to the role:`

Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			```text
			`$ vault write consul/roles/my-role policies=readonly`
			`Success! Data written to: consul/roles/my-role`
			```
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
			`## Usage`

			`After the secrets engine is configured and a user/machine has a Vault token with`
			`the proper permission, it can generate credentials.`

Update Consuls Secrets quick start (#4224) - Fix typo in role name - Drop ordered list formatting on get credential example 2018-03-30 14:46:05 +00:00			Generate a new credential by reading from the `/creds` endpoint with the name
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`of the role:`

Update Consuls Secrets quick start (#4224) - Fix typo in role name - Drop ordered list formatting on get credential example 2018-03-30 14:46:05 +00:00			```text
			`$ vault read consul/creds/my-role`
			`Key Value`
			`--- -----`
			`lease_id consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8`
			`lease_duration 768h`
			`lease_renewable true`
			`token 642783bf-1540-526f-d4de-fe1ac1aed6f0`
Fix indentation of code block in Consul Secrets Engine docs (#4350) The indentation of the code block in the Consul Secrets Engine doc was removed in #4224, but the closing backticks remained indented one level, resulting in the block swallowing all text after it. Removing the indentation from the closing backticks fixes this. 2018-04-13 13:55:35 +00:00			```
website: consul quickstart 2015-04-27 03:17:55 +00:00
Adding support for Consul 1.4 ACL system (#5586) * Adding support for Consul 1.4 ACL system * Working tests * Fixed logic gate * Fixed logical gate that evaluate empty policy or empty list of policy names * Ensure tests are run against appropiate Consul versions * Running tests against official container with a 1.4.0-rc1 tag * policies can never be nil (as even if it is empty will be an empty array) * addressing feedback, refactoring tests * removing cast * converting old lease field to ttl, adding max ttl * cleanup * adding missing test * testing wrong version * adding support for local tokens * addressing feedback 2018-11-02 14:44:12 +00:00			`When using Consul 1.4, the response will include the accessor for the token`

			```text
			`$ vault read consul/creds/my-role`
			`Key Value`
			`--- -----`
			`lease_id consul/creds/my-role/7miMPnYaBCaVWDS9clNE0Nv3`
			`lease_duration 768h`
			`lease_renewable true`
			`accessor 6d5a0348-dffe-e87b-4266-2bec03800abb`
			`token bc7a42c0-9c59-23b4-8a09-7173c474dc42`
			```
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`## API`
website: start consul api 2015-04-27 05:02:32 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Consul secrets engine has a full HTTP API. Please see the`
			`[Consul secrets engine API](/api/secret/consul/index.html) for more`
Break out API documentation for secret backends 2017-03-09 02:47:35 +00:00			`details.`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
			`[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create`