2022-04-07 12:16:24 -06:00
---
layout: docs
page_title: Storing the ACL Bootstrap Token in Vault
description: >-
Configuring the Consul Helm chart to use an ACL bootstrap token stored in Vault.
---
# Storing the ACL Bootstrap Token in Vault
2022-06-17 10:23:54 -06:00
This topic describes how to configure the Consul Helm chart to use an ACL bootstrap token stored in Vault.
2022-04-07 12:16:24 -06:00
## Overview
2023-01-25 10:52:43 -06:00
To use an ACL bootstrap token stored in Vault, follow the steps outlined in the [Data Integration](/consul/docs/k8s/deployment-configurations/vault/data-integration) section.
2022-04-07 12:16:24 -06:00
2022-07-15 10:35:42 -06:00
Complete the following steps once:
2022-04-07 12:16:24 -06:00
1. Store the secret in Vault.
1. Create a Vault policy that authorizes the desired level of access to the secret.
2022-04-21 12:17:24 -05:00
2022-07-15 10:35:42 -06:00
Repeat the following steps for each datacenter in the cluster:
2022-04-07 12:16:24 -06:00
1. Create Vault Kubernetes auth roles that link the policy to each Consul on Kubernetes service account that requires access.
2022-06-17 10:23:54 -06:00
1. Update the Consul on Kubernetes helm chart.
2022-04-07 12:16:24 -06:00
2022-06-17 10:23:54 -06:00
## Prerequisites
Prior to setting up the data integration between Vault and Consul on Kubernetes, you will need to have:
2023-01-25 10:52:43 -06:00
1. Read and completed the steps in the [Systems Integration](/consul/docs/k8s/deployment-configurations/vault/systems-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).
2. Read the [Data Integration Overview](/consul/docs/k8s/deployment-configurations/vault/data-integration) section of [Vault as a Secrets Backend](/consul/docs/k8s/deployment-configurations/vault).
2022-04-07 12:16:24 -06:00
2022-07-15 10:35:42 -06:00
## Store the Secret in Vault
First, generate and store the ACL bootstrap token in Vault. You will only need to perform this action once:
2022-04-07 12:16:24 -06:00
```shell-session
2024-01-05 13:22:56 +02:00
$ vault kv put consul-kv/secret/bootstrap-token token="$(uuidgen | tr '[:upper:]' '[:lower:]')"
2022-04-07 12:16:24 -06:00
```
2022-07-15 10:35:42 -06:00
## Create Vault policy
2022-04-07 12:16:24 -06:00
2022-07-15 10:35:42 -06:00
Next, you will need to create a Vault policy that allows read access to this secret.
2022-04-07 12:16:24 -06:00
2022-07-15 10:35:42 -06:00
The path to the secret referenced in the `path` resource is the same value that you will configure in the `global.acls.bootstrapToken.secretName` Helm configuration (refer to [Update Consul on Kubernetes Helm chart](#update-consul-on-kubernetes-helm-chart)).
2022-04-07 12:16:24 -06:00
<CodeBlockConfig filename="bootstrap-token-policy.hcl">
```HCL
2024-01-05 13:22:56 +02:00
path "consul-kv/data/secret/bootstrap-token" {
2022-04-07 12:16:24 -06:00
capabilities = ["read"]
}
```
</CodeBlockConfig>
Apply the Vault policy by issuing the `vault policy write` CLI command:
```shell-session
2022-05-10 07:28:33 -07:00
$ vault policy write bootstrap-token-policy bootstrap-token-policy.hcl
2022-04-07 12:16:24 -06:00
```
2022-07-15 10:35:42 -06:00
## Create Vault Authorization Roles for Consul
2022-04-07 12:16:24 -06:00
Next, you will create Kubernetes auth roles for the Consul `server-acl-init` container that runs as part of the Consul server statefulset:
```shell-session
$ vault write auth/kubernetes/role/consul-server-acl-init \
bound_service_account_names=<Consul server service account> \
bound_service_account_namespaces=<Consul installation namespace> \
2022-05-10 07:28:33 -07:00
policies=bootstrap-token-policy \
2022-04-07 12:16:24 -06:00
ttl=1h
```
To find out the service account name of the Consul server-acl-init job (i.e. the Consul server service account name),
you can run the following `helm template` command with your Consul on Kubernetes values file:
```shell-session
2022-09-30 09:13:44 -07:00
$ helm template --release-name ${RELEASE_NAME} -s templates/server-acl-init-serviceaccount.yaml hashicorp/consul -f values.yaml
2022-04-07 12:16:24 -06:00
```
2022-07-15 10:35:42 -06:00
## Update Consul on Kubernetes Helm chart
2022-04-07 12:16:24 -06:00
Now that you have configured Vault, you can configure the Consul Helm chart to
2022-05-10 07:28:33 -07:00
use the ACL bootstrap token in Vault:
2022-04-07 12:16:24 -06:00
<CodeBlockConfig filename="values.yaml">
```yaml
global:
secretsBackend:
vault:
enabled: true
manageSystemACLsRole: consul-server-acl-init
acls:
bootstrapToken:
2024-01-05 13:22:56 +02:00
secretName: consul-kv/data/secret/bootstrap-token
2022-04-07 12:16:24 -06:00
secretKey: token
```
</CodeBlockConfig>
Note that `global.acls.bootstrapToken.secretName` is the path of the secret in Vault.
This should be the same path as the one you included in your Vault policy.
`global.acls.bootstrapToken.secretKey` is the key inside the secret data. This should be the same
as the key you passed when creating the ACL replication token secret in Vault.