I’m experimenting with having Vault generate Consul ACL tokens. For example, if I have a policy in Consul called “consul-p1”, I can use the following commands to configure the Consul secrets engine:
vault secrets enable consul vault write consul/config/access address=127.0.0.1:8500 token=<consul mgmt token> vault write consul/roles/service-acls policies=consul-p1
A read on the service-acls role returns a Consul token as expected. However, I’m currently creating most of my Consul auth tokens using service identities instead of explicit policies. Is there any way to configure Vault to issue tokens against a service identity instead of a policy?
I can’t find anything in the Consul secrets engine docs, and when I look through the output of various
consul acl list commands, I don’t see an explicit policy associated with the service identity either.