consul template with vault

[Justin LaRose]

Is there a way to specify vault configuration for consul-template at the CLI rather than have a configuration file?

For example, the consul-template configuration file has the following contents:

....

vault {

  // This is the address of the Vault leader. The protocol (http(s)) portion

  // of the address is required.

  address = "https://vault.service.consul:8200"

  // This is the token to use when communicating with the Vault server.

  // Like other tools that integrate with Vault, Consul Template makes the

  // assumption that you provide it with a Vault token; it does not have the

  // incorporated logic to generate tokens via Vault's auth methods.

  //

  // This value can also be specified via the environment variable VAULT_TOKEN.

  token = "abcd1234"

  // This option tells Consul Template to automatically renew the Vault token

  // given. If you are unfamiliar with Vault's architecture, Vault requires

  // tokens be renewed at some regular interval or they will be revoked. Consul

  // Template will automatically renew the token at half the lease duration of

  // the token. The default value is true, but this option can be disabled if

  // you want to renew the Vault token using an out-of-band process.

  //

  // Note that secrets specified in a template (using {{secret}} for example)

  // are always renewed, even if this option is set to false. This option only

  // applies to the top-level Vault token itself.

  renew = true

  // This section details the SSL options for connecting to the Vault server.

  // Please see the SSL options below for more information (they are the same).

  ssl {

    // ...

  }

}

...

What I would like to do instead is:

consul-template -template "/path/on/disk/to/template.ctmpl:/path/on/disk/where/template/will/render.txt" -vault.address="https://vault.service.consul:8200" -vault.token="abcd1234" -vault.renew=true -once

Thanks!

[James Phillips]

Hi Justin,

That's currently not supported as a command line flag - https://github.com/hashicorp/consul-template/blob/master/cli.go#L182. Security-wise it's probably better to never pass the token in as a command line option since there are tools that can see that, such as ps.

-- James

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/e724519f-7713-4ab8-b0ae-1b5332759151%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jay Christopherson]

It would be very handy to be able to specify the Vault host on the command line, since we have different vault hosts for different environments.

[Jay Christopherson]

I guess you can set VAULT_ADDR instead of specifying in the config file.