I’m running 1.8.0 and have just configured to use Connect with Vault as the CA.
The documentation suggests that if I look up the config that the Vault token won’t be returned, however it is.
$ consul connect ca get-config
{
"Provider": "vault",
"Config": {
"Address": "https://active.vault.service.dc1.consul:8200",
"IntermediateCertTTL": "8760h0m0s",
"IntermediatePKIPath": "consul-ca",
"RootPKIPath": "root-ca",
"Token": "s.AAAAABBBBBBCCCCCCCDDD"
},
"State": null,
"CreateIndex": 40061468,
"ModifyIndex": 40063418
}
The API returns the same:
$ curl -Ss -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" -X GET http://127.0.0.1:8500/v1/connect/ca/configuration|jq -r
{
"Provider": "vault",
"Config": {
"Address": "https://active.vault.service.dc1.consul:8200",
"IntermediateCertTTL": "8760h0m0s",
"IntermediatePKIPath": "consul-ca",
"RootPKIPath": "root-ca",
"Token": "s.AAAAABBBBBBCCCCCCCDDD"
},
"State": null,
"ForceWithoutCrossSigning": false,
"CreateIndex": 40061468,
"ModifyIndex": 40063418
}
https://www.consul.io/docs/connect/ca/vault#token states “will not be exposed when reading the CA configuration”