There are different camps here. It also depends if you’re using your consul infrastructure with service-discovery/dns. If not, then there is no point in exposing your consul to anything but Vault. In that case, for sake of simplicity you can forgo the consul ACLs and just let Vault use Consul as private storage and that’ll be the end of it. This IS NOT the best secure but it’s the simplest and fastest way of getting up and running using Consul.
Or – you can drop consul complete and just use integrated storage (recommended to be a recent version of Vault [1.9+, 1.8 is usable but not recommended]) – which for EKS is probably the best option – for both setup and simplicity. Again not the best case, you are leaving some performance on the floor but the gain I think makes it worth while.