Vault with Consul - ACL token

Hi all,

Just a quick question on good practices/approaches really. I’m currently configuring an automated deployment of vault with a consul storage backend on EKS.

I’m using the helm charts to configure these but the whole thing is wrapped in ansible (to handle some secret creation and other bits and pieces). I’ve managed to get everything setup and working with all the ACL’s, TLS etc… so I’m quite happy so far.

Unless I’m mistaken, there’s a point in the process where I need to configure a policy and token in consul to allow vault access to the key/value store. I’d like this process to be automated too if possible.

I’ve written a bash script to accomplish this (basically a series of kubectl exec XXXX statements executed during the ansible run) where the secret token is captured and set as an env var in the vault pods. I was wondering if there was a better approach here?


There are different camps here. It also depends if you’re using your consul infrastructure with service-discovery/dns. If not, then there is no point in exposing your consul to anything but Vault. In that case, for sake of simplicity you can forgo the consul ACLs and just let Vault use Consul as private storage and that’ll be the end of it. This IS NOT the best secure but it’s the simplest and fastest way of getting up and running using Consul.

Or – you can drop consul complete and just use integrated storage (recommended to be a recent version of Vault [1.9+, 1.8 is usable but not recommended]) – which for EKS is probably the best option – for both setup and simplicity. Again not the best case, you are leaving some performance on the floor but the gain I think makes it worth while.