Reading vault secrets from consul-template

Question

How do I query just the value of a secret key from consul template ? From vault cli I would do

vault read -field=value secret/somekey

and it works fine. However, in the consul-template

{{secret "secret/somekey"}}

returns something like

{ 2592000 false map[value:11122222001040]

I can see it's outputting lease_duration etc along with the value. How do I get just the value in consul-template ?

There is an answer. If it is correct, please mark it. – muehsi Mar 27 '17 at 10:07 — muehsi, Mar 27 '17 at 10:07

score 2 · Answer 1 · answered Apr 04 '16 at 18:54

2

In your template you will need to use:

{{with secret "secret/somekey"}}{{.Data.value}}{{end}}

In your config file you will also need a section for vault:

vault {
  address = "https://vault.service.consul:8200"
  token = "abcd1234"
}

or you could use the VAULT_TOKEN environment variable.

answered Apr 04 '16 at 18:54

Cryptographic_ICE

1

how would you iterate over several values not just 1? – Eli Oct 21 '16 at 07:52
I have a template as below to renew the token and update the tls.key when the `key` is updated in vault vault { renew_token = true address = "https://vault.xxx.com/" } template { destination = "/tmp/tls.key" contents = "{{ with secret \"secret/user\" }}{{ .Data.key }}{{ end }}" } with consul-template running in the ec2 instance, but the tls.key doesnt get the new vaule when the vault `key` is updated, instead when I reload the consult-template it does updated - but is it possible to get it updated without doing a restart of service? – pavan May 07 '21 at 11:45

1 Answers1