{"id":16532803,"url":"https://github.com/mjstealey/vault-consul-docker","last_synced_at":"2025-10-28T11:31:22.809Z","repository":{"id":93420698,"uuid":"148930054","full_name":"mjstealey/vault-consul-docker","owner":"mjstealey","description":"HashiCorp Vault with Consul backend in Docker","archived":false,"fork":false,"pushed_at":"2019-05-01T21:46:44.000Z","size":22,"stargazers_count":19,"open_issues_count":1,"forks_count":14,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-02-01T14:51:10.263Z","etag":null,"topics":["consul","docker","docker-compose","vault"],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mjstealey.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-09-15T18:42:31.000Z","updated_at":"2024-09-03T17:46:31.000Z","dependencies_parsed_at":null,"dependency_job_id":"9dfe57a3-74ce-47b3-8ae2-a4936ed67431","html_url":"https://github.com/mjstealey/vault-consul-docker","commit_stats":{"total_commits":6,"total_committers":1,"mean_commits":6.0,"dds":0.0,"last_synced_commit":"6e5f2a3bc59d72e3b1729ec62c5cf2c5d35746bf"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mjstealey%2Fvault-consul-docker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mjstealey%2Fvault-consul-docker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mjstealey%2Fvault-consul-docker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mjstealey%2Fvault-consul-docker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mjstealey","download_url":"https://codeload.github.com/mjstealey/vault-consul-docker/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238645710,"owners_count":19506898,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["consul","docker","docker-compose","vault"],"created_at":"2024-10-11T18:13:28.541Z","updated_at":"2025-10-28T11:31:22.480Z","avatar_url":"https://github.com/mjstealey.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Vault with Consul backend in Docker\n\nThe code herein should not be considered production level by any means, but rather serve as a development or learning environment for using HashiCorp Vault.\n\n**What is Vault?**\n\n- HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Vault handles leasing, key revocation, key rolling, and auditing. Through a unified API, users can access an encrypted Key/Value store and network encryption-as-a-service, or generate AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more. [Read more](https://www.vaultproject.io).\n\n**What is Consul?**\n\n- Consul is a distributed service mesh to connect, secure, and configure services across any runtime platform and public or private cloud. [Read more](https://www.consul.io).\n\nThis work was inspired by: [http://pcarion.com/2017/04/30/A-consul-a-vault-and-a-docker-walk-into-a-bar..html](http://pcarion.com/2017/04/30/A-consul-a-vault-and-a-docker-walk-into-a-bar..html)\n\n**Last updated**: 2019-04-29\n\n- [Consul](https://hub.docker.com/_/consul) version: **1.4.4**\n- [Vault](https://hub.docker.com/_/vault) version: **1.1.2**\n\n**NOTE**: The example provided is using [macOS specific Docker networking](https://docs.docker.com/docker-for-mac/networking/) values which would need to be modified to fit your environment.\n\n## How to use\n\n### Configuration files\n\nOutside of development mode, Vault and Consul are configured using a file. The format of this file is [HCL](https://github.com/hashicorp/hcl) or JSON. The examples herein will use the JSON format.\n\nCopy the template files for both Vault and Consul.\n\n```\ncp config/vault.json.template config/vault.json\ncp config/consul.json.template config/consul.json\n```\n\n### Consul\n\n**Configure**\n\nUsing `uuidgen`, generate a consul master token.\n\nConsul master token:\n\n```console\n$ uuidgen\nED6F90AE-8254-4202-B157-E6B05339FD86\n```\n\nReplace `CONSUL_MASTER_TOKEN` with the value you've generated in the [config/consul.json](config/consul.json) file\n\n```javascript\n{\n \"datacenter\": \"dc-example\",\n \"data_dir\": \"/consul/data\",\n \"log_level\": \"DEBUG\",\n \"node_name\": \"dc-master\",\n \"server\": true,\n \"bootstrap_expect\": 1,\n \"client_addr\": \"0.0.0.0\",\n \"ui\" : true,\n \"acl_datacenter\": \"dc-example\",\n \"acl_master_token\": \"CONSUL_MASTER_TOKEN\", // \u003c-- Replace with: ED6F90AE-8254-4202-B157-E6B05339FD86\n \"acl_default_policy\": \"deny\",\n \"acl_down_policy\": \"extend-cache\",\n \"ports\": {\n \"dns\": 9600,\n \"http\": 9500,\n \"https\": -1,\n \"serf_lan\": 9301,\n \"serf_wan\": 9302,\n \"server\": 9300\n }\n}\n```\n\n\n**Start Consul**\n\nWith the configuration file in place and updated with the master token, you can start the consul container with docker compose.\n\n```\ndocker-compose up -d consul\n```\n\nNavigate to [http://127.0.0.1:9500]() and ensure the Consul UI is running\n\n\u003cimg width=\"80%\" alt=\"Consul on startup\" src=\"https://user-images.githubusercontent.com/5332509/56913034-a3eaac00-6a7e-11e9-98ca-3210a44ff7c8.png\"\u003e\n\nFrom the ACL tab, enter the value generated for `CONSUL_MASTER_TOKEN` and press save\n\n\u003cimg width=\"80%\" alt=\"Enter master token\" src=\"https://user-images.githubusercontent.com/5332509/56913328-57ec3700-6a7f-11e9-9f13-e922ff1687a5.png\"\u003e\n\nYou should observe a success message and be operating as the root level administrator of Consul\n\n\u003cimg width=\"80%\" alt=\"root level administrator\" src=\"https://user-images.githubusercontent.com/5332509/56913341-5f134500-6a7f-11e9-99c2-67fa6c922efd.png\"\u003e\n\n\n**Create a policy for Vault**\n\nFrom the ACL tab, select Policies and create a new policy\n\n\u003cimg width=\"80%\" alt=\"Policies\" src=\"https://user-images.githubusercontent.com/5332509/56913439-ad284880-6a7f-11e9-8cd1-e3a17691306d.png\"\u003e\n\nNew Policy - copy/paste entries as presented below and save\n\n\u003cimg width=\"80%\" alt=\"New Policy\" src=\"https://user-images.githubusercontent.com/5332509/56913598-10b27600-6a80-11e9-92f2-0e3418d0e172.png\"\u003e\n\n- **Name**: vault-agent\n- **Rules**:\n\n```javascript\n{\n \"key_prefix\": {\n \"vault/\": {\n \"policy\": \"write\"\n }\n },\n \"node_prefix\": {\n \"\": {\n \"policy\": \"write\"\n }\n },\n \"service\": {\n \"vault\": {\n \"policy\": \"write\"\n }\n },\n \"agent_prefix\": {\n \"\": {\n \"policy\": \"write\"\n }\n \n },\n \"session_prefix\": {\n \"\": {\n \"policy\": \"write\"\n }\n }\n}\n```\n- **Description**: None\n\nYou should observe a success message and see a new policy named **vault-agent** listed\n\n\u003cimg width=\"80%\" alt=\"vault-agent policy\" src=\"https://user-images.githubusercontent.com/5332509/56913735-6d159580-6a80-11e9-8aca-6ae8a7d1aa66.png\"\u003e\n\n**Generate token for Vault**\n\nFrom the ACL tab, select Tokens and create a new token\n\n\u003cimg width=\"80%\" alt=\"Tokens\" src=\"https://user-images.githubusercontent.com/5332509/56913862-b1a13100-6a80-11e9-98fe-975e5ff440bf.png\"\u003e\n\nNew Token - apply existing **vault-agent** policy to new token named Vault Agent and save\n\n\u003cimg width=\"80%\" alt=\"Create new token\" src=\"https://user-images.githubusercontent.com/5332509/56914094-3429f080-6a81-11e9-8ff6-539f012eda14.png\"\u003e\n\nYou should observe a success message and see a new token named **Vault Agent** listed\n\n\u003cimg width=\"80%\" alt=\"Vault Agent Token\" src=\"https://user-images.githubusercontent.com/5332509/56914127-4f94fb80-6a81-11e9-9278-a5b0055e2234.png\"\u003e\n\n### Vault\n\n**Configure**\n\nClick the Vault Agent token (puts it into edit mode) so that the details can be observed.\n\n\u003cimg width=\"80%\" alt=\"token details\" src=\"https://user-images.githubusercontent.com/5332509/56914248-9f73c280-6a81-11e9-95cc-0348dcee2482.png\"\u003e\n\nReplace the value of `VAULT_AGENT_TOKEN` in the [config/vault.json](config/vault.json) file with newly generated Vault Agent Token \n\nFrom example, `VAULT_AGENT_TOKEN` = `d92ac4aa-836c-b887-6144-81dfaaa3366c`\n\n```javascript\n{\n \"storage\":\n {\n \"consul\":\n {\n \"address\": \"host.docker.internal:9500\",\n \"advertise_addr\": \"http://host.docker.internal\",\n \"path\": \"vault/\",\n \"token\": \"VAULT_AGENT_TOKEN\" // \u003c-- Replace with: d92ac4aa-836c-b887-6144-81dfaaa3366c\n }\n },\n \"listener\":\n {\n \"tcp\":\n {\n \"address\": \"0.0.0.0:8200\",\n \"tls_disable\": 1\n }\n },\n \"log_level\": \"DEBUG\"\n}\n\n```\n\n**Start Vault**\n\nWith the configuration file in place and updated with the vault token, you can start the vault container with docker compose.\n\n```\ndocker-compose up -d vault\n```\n\nNavigate to [http://127.0.0.1:9500]() and verify that a new service named vault is running in standby mode.\n\n\u003cimg width=\"80%\" alt=\"Services\" src=\"https://user-images.githubusercontent.com/5332509/56924171-4d8b6680-6a9a-11e9-9690-d9685de8d6ec.png\"\u003e\n\nVault has been started, but not yet initialized. For this we'll use the vault client to interact with the RESTful API of the vault container.\n\n## Vault Client\n\nBuild and run the vault client in docker-compose\n\n```\ndocker-compose build\ndocker-compose up -d client\n```\n\nThe vault client defaults to volume mounting the [client-scripts](client-scripts) directory as `/mnt/data` of the running client container.\n\nDocker exec onto the client container, initialize and unseal the vault.\n\n```console\n$ docker exec -ti client /bin/bash\nroot@ac3e3a01a4a5:/# cd /mnt/data/\nroot@ac3e3a01a4a5:/mnt/data# ./initialize-and-unseal.sh\nINFO: init Vault\nUnseal Key 1: CkU4RFOn0jl3IoD3ZBMId3g9V4yPqaBPwLZtelBn4ZXB\nUnseal Key 2: 0mn/hNvkzY8FvBMpmqQfXTLa+9L0OaWKeFmIlINiwdmR\nUnseal Key 3: DAEJRhYvD+P2um40CfJ50okF23MQaBJpymmPWupWGhM3\nUnseal Key 4: +M8F0DfI7JqpWEFMKxVx4meUlQD/f8UigxbRohc01Qkc\nUnseal Key 5: 6douRfxKIlqfzEodMjPHSELT+WLm+PVw4d/37Ibf1WQQ\n\nInitial Root Token: s.ZQSMW5tJmSXNhGFZrr0oKuUR\n\nVault initialized with 5 key shares and a key threshold of 3. Please securely\ndistribute the key shares printed above. When the Vault is re-sealed,\nrestarted, or stopped, you must supply at least 3 of these keys to unseal it\nbefore it can start servicing requests.\n\nVault does not store the generated master key. Without at least 3 key to\nreconstruct the master key, Vault will remain permanently sealed!\n\nIt is possible to generate new unseal keys, provided you have a quorum of\nexisting unseal keys shares. See \"vault operator rekey\" for more information.\nINFO: unseal Vault\nKey Value\n--- -----\nSeal Type shamir\nInitialized true\nSealed true\nTotal Shares 5\nThreshold 3\nUnseal Progress 1/3\nUnseal Nonce 7389c6bd-768c-3bad-aea6-c1b923141019\nVersion 1.1.2\nHA Enabled true\nKey Value\n--- -----\nSeal Type shamir\nInitialized true\nSealed true\nTotal Shares 5\nThreshold 3\nUnseal Progress 2/3\nUnseal Nonce 7389c6bd-768c-3bad-aea6-c1b923141019\nVersion 1.1.2\nHA Enabled true\nKey Value\n--- -----\nSeal Type shamir\nInitialized true\nSealed false\nTotal Shares 5\nThreshold 3\nVersion 1.1.2\nCluster Name vault-cluster-a1069ec3\nCluster ID 115e5944-aa2b-3cb6-2fc4-c1778c84b36a\nHA Enabled true\nHA Cluster n/a\nHA Mode standby\nActive Node Address \u003cnone\u003e\nKey Value\n--- -----\nSeal Type shamir\nInitialized true\nSealed false\nTotal Shares 5\nThreshold 3\nVersion 1.1.2\nCluster Name vault-cluster-a1069ec3\nCluster ID 115e5944-aa2b-3cb6-2fc4-c1778c84b36a\nHA Enabled true\nHA Cluster https://host.docker.internal:444\nHA Mode active\nINFO: Vault has been unsealed\nVAULT_ADDR=http://host.docker.internal:9200\nVAULT_VERSION=1.1.2\nVAULT_TOKEN=s.ZQSMW5tJmSXNhGFZrr0oKuUR\n```\n\nAt this stage the vault service should be unsealed and active\n\n\u003cimg width=\"80%\" alt=\"Services active\" src=\"https://user-images.githubusercontent.com/5332509/56924549-297c5500-6a9b-11e9-9350-256aa0dfa8f5.png\"\u003e\n\n**NOTE**: The vault can also be initialized and unsealed manually using the following commands\n\n- `$ vault operator init`: Initialize the vault\n- `$ vault operator unseal`: Unseal vault - follow the prompts\n\nYou are now ready to start running vault commands\n\n## Vault commands\n\nDocker exec into the `client` container as described above, and set the value of `VAULT_TOKEN` as an environment variable (using the initial root token for demonstration purposes)\n\n```bash\nexport VAULT_TOKEN=s.ZQSMW5tJmSXNhGFZrr0oKuUR\nexport VAULT_ADDR=http://host.docker.internal:9200\ndocker run --rm -ti \\\n -e VAULT_TOKEN=$VAULT_TOKEN \\\n -e VAULT_ADDR=$VAULT_ADDR \\\n -v $(pwd):/mnt/data \\\n mjstealey/vault-client:latest \\\n /bin/bash\n```\n\n**help**\n\n```console\n# vault --help\nUsage: vault \u003ccommand\u003e [args]\n\nCommon commands:\n read Read data and retrieves secrets\n write Write data, configuration, and secrets\n delete Delete secrets and configuration\n list List data or secrets\n login Authenticate locally\n agent Start a Vault agent\n server Start a Vault server\n status Print seal and HA status\n unwrap Unwrap a wrapped secret\n\nOther commands:\n audit Interact with audit devices\n auth Interact with auth methods\n kv Interact with Vault's Key-Value storage\n lease Interact with leases\n namespace Interact with namespaces\n operator Perform operator-specific tasks\n path-help Retrieve API help for paths\n plugin Interact with Vault plugins and catalog\n policy Interact with policies\n print Prints runtime configurations\n secrets Interact with secrets engines\n ssh Initiate an SSH session\n token Interact with tokens\n```\n\n**status**\n\n```console\n# vault status\nKey Value\n--- -----\nSeal Type shamir\nInitialized true\nSealed false\nTotal Shares 5\nThreshold 3\nVersion 1.1.2\nCluster Name vault-cluster-a1069ec3\nCluster ID 115e5944-aa2b-3cb6-2fc4-c1778c84b36a\nHA Enabled true\nHA Cluster https://host.docker.internal:444\nHA Mode active\n```\n\n**kv secrets**\n\nTo enable a version 1 kv store\n\n```bash\nvault secrets enable -version=1 kv\n```\n\nAfter the secrets engine is configured and a user/machine has a Vault token with the proper permission, it can generate credentials. The kv secrets engine allows for writing keys with arbitrary values.\n\nWrite arbitrary data:\n\n```console\n# vault kv put kv/my-secret my-value=s3cr3t\nSuccess! Data written to: kv/my-secret\n```\n\nRead arbitrary data:\n\n```console\n# vault kv get kv/my-secret\n====== Data ======\nKey Value\n--- -----\nmy-value s3cr3t\n```\n\nList the keys:\n\n```console\n# vault kv list kv/\nKeys\n----\nmy-secret\n```\n\nThis is also visible from the consul UI under the Key/Value tab\n\n\u003cimg width=\"80%\" alt=\"my-secret\" src=\"https://user-images.githubusercontent.com/5332509/57043536-d4287b00-6c35-11e9-8718-de8f90e4af39.png\"\u003e\n\n### using curl\n\nExample cURL calls to a vault instance running on the localhost (127.0.0.1)\n\n**Get list of keys**\n\n```bash\nexport VAULT_TOKEN=s.ZQSMW5tJmSXNhGFZrr0oKuUR\nexport VAULT_ADDR=http://127.0.0.1:9200\ncurl \\\n --header \"X-Vault-Token: $VAULT_TOKEN\" \\\n --request LIST \\\n \"$VAULT_ADDR/v1/kv\"\n```\n\nExample: \n\n```console\n$ curl -s \\\n --header \"X-Vault-Token: $VAULT_TOKEN\" \\\n --request LIST \\\n \"$VAULT_ADDR/v1/kv\" | jq .\n{\n \"request_id\": \"400a6e82-212f-3276-cda9-f0b1622c95b0\",\n \"lease_id\": \"\",\n \"renewable\": false,\n \"lease_duration\": 0,\n \"data\": {\n \"keys\": [\n \"my-secret\"\n ]\n },\n \"wrap_info\": null,\n \"warnings\": null,\n \"auth\": null\n}\n```\n\n**Get data from key**\n\n```bash\nexport VAULT_TOKEN=s.ZQSMW5tJmSXNhGFZrr0oKuUR\nexport VAULT_ADDR=http://127.0.0.1:9200\ncurl \\\n --header \"X-Vault-Token: $VAULT_TOKEN\" \\\n \"$VAULT_ADDR/v1/kv/my-secret\"\n```\n\nExample:\n\n```console\n$ curl -s \\\n --header \"X-Vault-Token: $VAULT_TOKEN\" \\\n \"$VAULT_ADDR/v1/kv/my-secret\" | jq .\n{\n \"request_id\": \"2e2480c6-9a8f-8b65-2914-2b9813c0a1e7\",\n \"lease_id\": \"\",\n \"renewable\": false,\n \"lease_duration\": 2764800,\n \"data\": {\n \"my-value\": \"s3cr3t\"\n },\n \"wrap_info\": null,\n \"warnings\": null,\n \"auth\": null\n}\n```\n\n## References\n\n- HashiCorp Vault: [https://www.vaultproject.io](https://www.vaultproject.io)\n- HashiCorp Consul: [https://www.consul.io](https://www.consul.io)\n- curl reference: [https://curl.haxx.se](https://curl.haxx.se)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmjstealey%2Fvault-consul-docker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmjstealey%2Fvault-consul-docker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmjstealey%2Fvault-consul-docker/lists"}