![image.png](attachment:ac8045ca-ac0f-457b-b92e-79b79e21969c.png)

# Envconsul and Consul Template: Direct Application Integration

This tutorial introduces Consul Template and Envconsul to help you determine how these tools speed up the integration of your applications once secrets are securely managed by Vault.

**Challenge**
If your application code or script contains some secrets (e.g. database credentials), it makes a good sense to manage the secrets using Vault. However, it means that your application will need to retrieve the secrets at runtime. Does that mean the application developers must make some code change?

**Solution**
Both Consul Template and Envconsul provide first-class support for Vault. Leveraging these tools can minimize the level of changes introduced to your applications. Depending on the current application design, you may not need to make minimal to no code change. 


**Envconsul** - dynamically populates environment variables from secrets read from Vault.

**Consul Template** - retrieves secrets from Vault and manages the acquisition and renewal lifecycle.



---
![vault-agent-templates (1).png](attachment:d2dfca88-8306-477a-bf0a-2cb420a9d288.png)
### Prerequisites

* Vault, Envconsul, and Consul Template binaries
* Docker

### Workflow

* Step 1: Set Up: Start Postgres | Configure Vault PostgreSQL secrets engine
* Step 2: Generate Client Token
* Step 3 Use Envconsul to Retrieve DB Credentials
* Step 4: Use Consul Template to Populate DB Credentials
---
# Step 1: Set Up

## Start Postgres

**Pull a Postgres server image with docker.**

In [1]:
docker pull postgres:latest

latest: Pulling from library/postgres
Digest: sha256:2b87b5bb55589540f598df6ec5855e5c15dd13628230a689d46492c1d433c4df
Status: Image is up to date for postgres:latest
docker.io/library/postgres:latest



**Create a Postgres database with a root user named root with the password rootpassword.**


In [2]:
docker run \
      --name postgres \
      --env POSTGRES_USER=root \
      --env POSTGRES_PASSWORD=rootpassword \
      --detach  \
      --publish 5432:5432 \
      postgres


f91a66df749114a0af220fe45b86c73944d661f043f462ce4442e85231318f82


**Create a role named ro && Grant the ability to read all tables to the role named ro.**

In [3]:
tee role_create.sql <<EOF
CREATE ROLE ro NOINHERIT;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "ro";
EOF

CREATE ROLE ro NOINHERIT;
GRANT SELECT ON ALL TABLES IN SCHEMA public TO "ro";


In [4]:
docker exec -i postgres psql < role_create.sql

CREATE ROLE
GRANT



## Enable the database secrets engine



#### If you don't have running Vault, <br>in another terminal, start a Vault dev server with root as the root token.

### <span style="background-color: #ffc9e3">vault server -dev -dev-root-token-id root</span>

In [5]:
vault version

[0mVault v1.7.2+ent (0e2ed0c723715690ce84695805e84e00466909c0)[0m


In [6]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root
export VAULT_SKIP_VERIFY=true

In [7]:
vault login root

over the value set by this command. To use the value set by this command,
unset the VAULT_TOKEN environment variable or set it to the token displayed
below.
[0m
[0mSuccess! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.
[0m
[0mKey                  Value
---                  -----
token                root
token_accessor       T8vKE9Qk0PsFUUh4j5Yfcm1P
token_duration       ∞
token_renewable      false
token_policies       ["root"]
identity_policies    []
policies             ["root"][0m


**Enable the database secrets engine at the database/ path.**

In [8]:
vault secrets enable database

[0mSuccess! Enabled the database secrets engine at: database/[0m


## Configure PostgreSQL secrets engine

**Configure the database secrets engine with the connection credentials for the Postgres database.**

In [10]:
vault write database/config/postgresql \
     plugin_name=postgresql-database-plugin \
     connection_url="postgresql://{{username}}:{{password}}@localhost:5432/postgres?sslmode=disable" \
     allowed_roles=readonly \
     username="root" \
     password="rootpassword"


**Create a role**

In [11]:
tee readonly.sql <<EOF
CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' INHERIT;
GRANT ro TO "{{name}}";
EOF

CREATE ROLE "{{name}}" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' INHERIT;
GRANT ro TO "{{name}}";


In [12]:
vault write database/roles/readonly \
      db_name=postgresql \
      creation_statements=@readonly.sql \
      default_ttl=1h \
      max_ttl=24h
      

[0mSuccess! Data written to: database/roles/readonly[0m


**Request PostgreSQL credentials**

In [14]:
vault read database/creds/readonly

[0mKey                Value
---                -----
lease_id           database/creds/readonly/JYKnmbaFa5CLagNZ3Dc3eslj
lease_duration     1h
lease_renewable    true
password           LO6p262Lx3-RuC225OCF
username           v-token-readonly-GN8GlyE8aoVb43VmsE08-1626287182[0m


**Request PostgreSQL credentials**

In [14]:
tee list_users.sql <<EOF
SELECT usename, valuntil FROM pg_user;
EOF

SELECT usename, valuntil FROM pg_user;


In [15]:
docker exec -i postgres psql < list_users.sql

                     usename                      |        valuntil        
--------------------------------------------------+------------------------
 root                                             | 
 v-token-readonly-6PDHaM6PNqqQmv9fz9jg-1626286698 | 2021-07-14 19:18:23+00
 v-token-readonly-QIGtdqfpWGICfEZcxnCF-1626286920 | 2021-07-14 19:22:05+00
 v-token-readonly-v2S3LDGZHwyIJQ2tSD4s-1626286933 | 2021-07-14 19:22:18+00
 v-token-readonly-ztlr6yBDCWn4R8qBjgdy-1626286956 | 2021-07-14 19:22:41+00
 v-token-readonly-MJ1kO0VAX4GKr00I29vW-1626287026 | 2021-07-14 19:23:51+00
 v-token-readonly-inVfP4OENhA10akerLkh-1626287032 | 2021-07-14 19:23:57+00
 v-token-readonly-XWZbXKfL3F69S4Kl06jg-1626287079 | 2021-07-14 19:24:44+00
 v-token-readonly-GN8GlyE8aoVb43VmsE08-1626287182 | 2021-07-14 19:26:27+00
(9 rows)



# Step 2: Generate Client Token

EnvConsul tool itself is a Vault client. Therefore it must have a valid token with policies permitting it to retrieve secrets from database secret engine you just configured

In [16]:
## Create a Vault db_creds policy to allow envconsul 
## retrieve dynamically generated Postgres secrets
echo '
path "database/creds/readonly" {
  capabilities = [ "read" ]
}

path "sys/leases/renew" {
  capabilities = [ "update" ]
} ' | vault policy write db_creds -

[0mSuccess! Uploaded policy: db_creds[0m


**Create a token with db_creds policy attached.**

In [17]:
vault token create -policy="db_creds"

[0mKey                  Value
---                  -----
token                s.9z98EnXLbgMMansCXpktRjCP
token_accessor       R2OQcaSBXFMnb85DFI5IezYz
token_duration       768h
token_renewable      true
token_policies       ["db_creds" "default"]
identity_policies    []
policies             ["db_creds" "default"][0m


### NOTE: This is the token that EnvConsul uses to talk to Vault. Copy the token value and proceed to Step 3.

# Step 3: Use Envconsul to Retrieve DB Credentials


### Demo
---

**Create a file named app.sh containing the following:**

In [18]:
## app.sh is reading environment variables to set username and password values; 
tee app.sh <<EOT
#!/usr/bin/env bash
EOT

#!/usr/bin/env bash


**Copy and paste a snippet below into newly created app.sh**

In [19]:
cat <<EOT
My connection info is:

username: "${DATABASE_CREDS_READONLY_USERNAME}"
password: "${DATABASE_CREDS_READONLY_PASSWORD}"
database: "my-app"
EOT

My connection info is:

username: ""
password: ""
database: "my-app"


### <span style="background-color: #ffc9e3">As the result, your app.sh should look as it shown below:<span>

In [9]:
chmod 700 app.sh

In [11]:
ls -l app.sh

-rwx------  1 kryuma  staff  158 Jul 14 14:23 app.sh


**Run the Envconsul tool using the Vault token you generated at Step 2.**

In [16]:
vault token create -policy="db_creds"

[0mKey                  Value
---                  -----
token                s.jYoQc45E39PXJnLuXD8JNMsn
token_accessor       dqhf9aWiMZGqSGJBGswiwoua
token_duration       768h
token_renewable      true
token_policies       ["db_creds" "default"]
identity_policies    []
policies             ["db_creds" "default"][0m


In [19]:
VAULT_TOKEN=s.jYoQc45E39PXJnLuXD8JNMsn envconsul -upcase -secret database/creds/readonly ./app.sh

2021/07/14 18:31:48.870259 [WARN] vault.token: TTL of "767h59m51s" exceeded the effective max_ttl of "767h56m37s"; TTL value is capped accordingly
My connection info is:

username: "v-token-readonly-WvvSoZgZqaRs2JR6LV7o-1626287508"
password: "1MLrRn-zUvsxaqpvXcj8"
database: "my-app"


**The output should display the username and password populated.**

<br></br>
**Request PostgreSQL credentials**

In [None]:
docker exec -i postgres psql < list_users.sql

*If your application is designed to read secrets from environment variables, Envconsul requires minimal to no code change to integrate with Vault.*

# Step 4: Use Consul Template to Populate DB Credentials

Assume that your application requires PostgreSQL database credentials to read data. Its configuration file, config.yml looks like:

In [None]:
tee config.yml <<EOT
username: '<DB_USERNAME>'
password: '<DB_PASSWORD>'
database: 'myapp'
EOT

To have Consul Template to populate the <DB_USERNAME> and <DB_PASSWORD>, you need to create a template file with Consul Template

**Create a template file by replacing the username and password with Consul Template syntax and save it as config.yml.tpl**

In [None]:
tee config.yml.tpl <<EOT
{{- with secret "database/creds/readonly" }}
username: "{{ .Data.username }}"
password: "{{ .Data.password }}"
database: "myapp"
{{- end }}
EOT

<br>
The input file is the config.yml.tpl and specify the desired output file name to be config.yml

**Run Consul Template using the Vault token you generated at Step 2.**

In [None]:
vault token create -policy="db_creds"

In [None]:
VAULT_TOKEN=s.ZDWZqtu3mouBH7AERshfKH18 consul-template \
        -template="config.yml.tpl:config.yml" -once

**Check a newly populated credentials in config.yml**

**Cleanup**

In [None]:
docker stop /postgres
docker rm /postgres

In [None]:
rm app.sh
rm list_users.sql
rm readonly.sql
rm role_create.sql
rm config.yml
rm config.yml.tpl

**END**