How/when/for how long is the consul connect token used?

Setting up a consul cluster, trying to understand the requirements of the connect token on the servers (connect > ca_config > token in config). Is this going to be used for initial bootstrap and can therefore be short-lived, or does one have to setup rotation/renewal as well?

Hi @MWinther, we recommend using a token that has the renewable option set in Vault so that Consul can renew the lease before the token expires.

  • token The Vault token to use. In Consul 1.8.5 and later, if the token has the renewableflag set, Consul will attempt to renew its lease periodically after half the duration has expired.