open-vault/website/source/docs/secrets/consul/index.html.md

---
layout: "docs"
page_title: "Consul - Secrets Engines"
sidebar_current: "docs-secrets-consul"
description: |-
  The Consul secrets engine for Vault generates tokens for Consul dynamically.
---

# Consul Secrets Engine

The Consul secrets engine generates [Consul](https://www.consul.io) API tokens
dynamically based on Consul ACL policies.

## Setup

Most secrets engines must be configured in advance before they can perform their
functions. These steps are usually completed by an operator or configuration
management tool.

1. Enable the Consul secrets engine:

    ```text
    $ vault secrets enable consul
    Success! Enabled the consul secrets engine at: consul/
    ```

    By default, the secrets engine will mount at the name of the engine. To
    enable the secrets engine at a different path, use the `-path` argument.

1. Acquire a [management token][consul-mgmt-token] from Consul, using the
`acl_master_token` from your Consul configuration file or another management
token:

    ```sh
    $ curl \
        --header "X-Consul-Token: my-management-token" \
        --request PUT \
        --data '{"Name": "sample", "Type": "management"}' \
        https://consul.rocks/v1/acl/create
    ```

    Vault must have a management type token so that it can create and revoke ACL
    tokens. The response will return a new token:

    ```json
    {
      "ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"
    }
    ```

1. Configure Vault to connect and authenticate to Consul:

    ```text
    $ vault write consul/config/access \
        address=127.0.0.1:8500 \
        token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4
    Success! Data written to: consul/config/access
    ```

1. Configure a role that maps a name in Vault to a Consul ACL policy.
When users generate credentials, they are generated against this role:

    ```text
    $ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')
    Success! Data written to: consul/roles/my-role
    ```

    The policy must be base64-encoded. The policy language is [documented by
    Consul](https://www.consul.io/docs/internals/acl.html).

## Usage

After the secrets engine is configured and a user/machine has a Vault token with
the proper permission, it can generate credentials.

Generate a new credential by reading from the `/creds` endpoint with the name
of the role:

```text
$ vault read consul/creds/my-role
Key                Value
---                -----
lease_id           consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8
lease_duration     768h
lease_renewable    true
token              642783bf-1540-526f-d4de-fe1ac1aed6f0
```

## API

The Consul secrets engine has a full HTTP API. Please see the
[Consul secrets engine API](/api/secret/consul/index.html) for more
details.

[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create
website: consul secret backend 2015-04-11 03:26:01 +00:00			`---`
			`layout: "docs"`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`page_title: "Consul - Secrets Engines"`
website: consul secret backend 2015-04-11 03:26:01 +00:00			`sidebar_current: "docs-secrets-consul"`
			`description: \|-`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Consul secrets engine for Vault generates tokens for Consul dynamically.`
website: consul secret backend 2015-04-11 03:26:01 +00:00			`---`

Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`# Consul Secrets Engine`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Consul secrets engine generates [Consul](https://www.consul.io) API tokens`
			`dynamically based on Consul ACL policies.`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`## Setup`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`Most secrets engines must be configured in advance before they can perform their`
			`functions. These steps are usually completed by an operator or configuration`
			`management tool.`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`1. Enable the Consul secrets engine:`
website: consul secret backend 2015-04-11 03:26:01 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```text
			`$ vault secrets enable consul`
			`Success! Enabled the consul secrets engine at: consul/`
			```
website: consul quickstart 2015-04-27 03:17:55 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`By default, the secrets engine will mount at the name of the engine. To`
			enable the secrets engine at a different path, use the `-path` argument.
website: consul quickstart 2015-04-27 03:17:55 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`1. Acquire a [management token][consul-mgmt-token] from Consul, using the`
			`acl_master_token` from your Consul configuration file or another management
Some copyediting/simplifying of the Consul page 2015-12-18 15:07:40 +00:00			`token:`
Update secret backend Consul documentation Adds information on the steps to get a management token for use by Vault when communicating with Consul as a secret backend. 2015-12-18 14:44:31 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			```sh
			`$ curl \`
			`--header "X-Consul-Token: my-management-token" \`
			`--request PUT \`
			`--data '{"Name": "sample", "Type": "management"}' \`
			`https://consul.rocks/v1/acl/create`
			```

			`Vault must have a management type token so that it can create and revoke ACL`
			`tokens. The response will return a new token:`

			```json
			`{`
			`"ID": "7652ba4c-0f6e-8e75-5724-5e083d72cfe4"`
			`}`
			```

			`1. Configure Vault to connect and authenticate to Consul:`

			```text
			`$ vault write consul/config/access \`
			`address=127.0.0.1:8500 \`
			`token=7652ba4c-0f6e-8e75-5724-5e083d72cfe4`
			`Success! Data written to: consul/config/access`
			```

			`1. Configure a role that maps a name in Vault to a Consul ACL policy.`
			`When users generate credentials, they are generated against this role:`

			```text
			`$ vault write consul/roles/my-role policy=$(base64 <<< 'key "" { policy = "read" }')`
			`Success! Data written to: consul/roles/my-role`
			```

			`The policy must be base64-encoded. The policy language is [documented by`
			`Consul](https://www.consul.io/docs/internals/acl.html).`

			`## Usage`

			`After the secrets engine is configured and a user/machine has a Vault token with`
			`the proper permission, it can generate credentials.`

Update Consuls Secrets quick start (#4224) - Fix typo in role name - Drop ordered list formatting on get credential example 2018-03-30 14:46:05 +00:00			Generate a new credential by reading from the `/creds` endpoint with the name
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`of the role:`

Update Consuls Secrets quick start (#4224) - Fix typo in role name - Drop ordered list formatting on get credential example 2018-03-30 14:46:05 +00:00			```text
			`$ vault read consul/creds/my-role`
			`Key Value`
			`--- -----`
			`lease_id consul/creds/my-role/b2469121-f55f-53c5-89af-a3ba52b1d6d8`
			`lease_duration 768h`
			`lease_renewable true`
			`token 642783bf-1540-526f-d4de-fe1ac1aed6f0`
Fix indentation of code block in Consul Secrets Engine docs (#4350) The indentation of the code block in the Consul Secrets Engine doc was removed in #4224, but the closing backticks remained indented one level, resulting in the block swallowing all text after it. Removing the indentation from the closing backticks fixes this. 2018-04-13 13:55:35 +00:00			```
website: consul quickstart 2015-04-27 03:17:55 +00:00
website: document Consul APIs 2015-04-27 18:08:47 +00:00			`## API`
website: start consul api 2015-04-27 05:02:32 +00:00
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00			`The Consul secrets engine has a full HTTP API. Please see the`
			`[Consul secrets engine API](/api/secret/consul/index.html) for more`
Break out API documentation for secret backends 2017-03-09 02:47:35 +00:00			`details.`
Resolve the most painful merge conflict known on earth 2017-09-20 20:05:00 +00:00
			`[consul-mgmt-token]: https://www.consul.io/docs/agent/http/acl.html#acl_create`