Search code examples

Reading secrets with consul-template from vault

I have vault running in a pod. I can read secrets using vault read.

$ vault read test
Key                 Value
---                 -----
refresh_interval    768h
value               world

$ vault kv get test
==== Data ====
Key      Value
---      -----
value    world

I can use both versions of the Api to see the secrets in vault

When i list vault secret engines i clearly see them:

$ vault secrets list
Path                   Type         Description
----                   ----         -----------
secret/                kv           key/value secret storage
test/                  kv           n/a

In my Consul-template template i have the following

{{ with secret "test"}}
{{ if .Data.value }}
consul_template_value = {{ .Data.value }}
{{ end }}
{{ end }}

My consul-template is a sidecar pod reading the file above and returning the current error :

watcher reported error: no secret exists at test
[ERR] (cli) no secret exists at test

I turned on the trace on consul-template sidecar

[TRACE] (view) starting fetch
[TRACE] GET /v1/test?stale=true&wait=1m0s
[WARN] (view) no secret exists at test (retry attempt 1 after "250ms")

I checked Vault API with a curl

curl -k -H "X-Vault-Token: TOKEN" -X GET https://X.X.X.X/v1/test?stale=true

I get the response


I found a similar issue on github

Any ideas would be helpful


  • Resolved i was missing some configuration aspects of CT