Connect "get-config" returns Vault token

I’m running 1.8.0 and have just configured to use Connect with Vault as the CA.
The documentation suggests that if I look up the config that the Vault token won’t be returned, however it is.

$ consul connect ca get-config 
{
        "Provider": "vault",
        "Config": {
                "Address": "https://active.vault.service.dc1.consul:8200",
                "IntermediateCertTTL": "8760h0m0s",
                "IntermediatePKIPath": "consul-ca",
                "RootPKIPath": "root-ca",
                "Token": "s.AAAAABBBBBBCCCCCCCDDD"
        },
        "State": null,
        "CreateIndex": 40061468,
        "ModifyIndex": 40063418
}

The API returns the same:

$ curl -Ss -H "X-Consul-Token: ${CONSUL_HTTP_TOKEN}" -X GET http://127.0.0.1:8500/v1/connect/ca/configuration|jq -r
{
  "Provider": "vault",
  "Config": {
    "Address": "https://active.vault.service.dc1.consul:8200",
    "IntermediateCertTTL": "8760h0m0s",
    "IntermediatePKIPath": "consul-ca",
    "RootPKIPath": "root-ca",
    "Token": "s.AAAAABBBBBBCCCCCCCDDD"
  },
  "State": null,
  "ForceWithoutCrossSigning": false,
  "CreateIndex": 40061468,
  "ModifyIndex": 40063418
}

https://www.consul.io/docs/connect/ca/vault#token states “will not be exposed when reading the CA configuration”

Can confirm that with Consul 1.12.0 this is still true.

I’d completely forgotten about this!
Ill raise an issue on Github in a bit to see whether it gets more traction from that.

1 Like