SpringCloud + Hashicorp Vault + Hashicorp Consul

0
votes

I'm testing the integration between Vault + Consul to save my secrets and store them in multiple machines. I'm able to see and insert/retrieve my secrets from Vault without problems.

Now I'm trying to configure the SpringCloud to consume my secrets from Vault (I followed the page https://cloud.spring.io/spring-cloud-vault/reference/html/) and my bootstrap.yml is similar to the example:

    host: localhost
    port: 8200
    scheme: https
    uri: https://localhost:8200
    connection-timeout: 5000
    read-timeout: 15000
    config:
        order: -10

And it works too! My application can see the secrets inside Vault.

Now, what I'm trying to understand is how the Consul is connected to this? Because when using the Consul I was thinking that It was not necessary to insert the address of the Vault, the Consul should be responsible to inform this. But I didn't find anything useful related to this.

Any idea here? Or the Consul will just store my secrets and I still need to connect to the Vault?

1
javaspring-cloudhashicorp-vaulthashicorp

1 Answers

0
votes

There are a couple of potential integration points between Consul and Vault.

Consul can be used as a storage backend for Vault (https://www.vaultproject.io/docs/configuration/storage/consul). Prior to Vault 1.4, Consul was the recommended storage backend for Vault. Vault 1.4.0 introduced general availability for Vault's own integrated storage (https://www.vaultproject.io/docs/concepts/integrated-storage) which removes the reliance on Consul.

Another way the products can be integrated is to use Vault's Consul Secrets Engine to obtain authentication tokens for accessing Consul. Spring Cloud Vault uses this to obtain a Consul token thru Vault (https://cloud.spring.io/spring-cloud-vault/reference/html/#vault.config.backends.consul).

If storing secrets/keys in Vault satisfies your needs, there should be no reason to add Consul to your environment.