Select Page

HA cluster Vault with Consul on AWS

In this article, we’ll deploy Vault with Consul as store backend on AWS. Vault using as manager of your secrets (passwords, tokens, secret data). Also, Vault provides a secret way to store and use this data. Consul used as service to distributed store data.

For AWS we just need to start 4 EC2 instances. 1 Vault node and 3 Consul nodes. We need 3 Consul nodes for a quorum. Let’s first configure Consul. What is Quorum? Go to

Check ansible repository and do it by few clicks:
Next commands should be executed on all three Consul nodes:
Step 1: Download Consul
Step 2: Unarchive downloaded files and remove old files
cp consul /usr/local/bin/
rm -rf
Step 3: Create two directories for Consul
sudo mkdir -p /etc/consul.d/scripts
sudo mkdir /var/consul
#4 step should be executed only on one Consul node
Step 4: Initialize Consul
consul keygen
Step 5: Create configuration files on Consul nodes
sudo vi /etc/consul.d/config.json

"bootstrap_expect": 3,
"client_addr": "",
"datacenter": "Us-Central",
"data_dir": "/var/consul",
"domain": "consul",
"enable_script_checks": true,
"dns_config": {
"enable_truncate": true,
"only_passing": true
"enable_syslog": true,
"encrypt": "goplCZgdmOFMZ2Q43To0jw==",
"leave_on_terminate": true,
"log_level": "INFO",
"rejoin_after_leave": true,
"server": true,
"start_join": [
"ui": true
Create a consul service
sudo vi /etc/systemd/system/consul.service
sudo systemctl daemon-reload
Start Consul
sudo systemctl start consul
sudo systemctl status consul
consul members
[ec2-user@ip-10-0-1-206 ~]$ consul members
Node                                          Address           Status  Type    Build  Protocol  DC          Segment   alive   server  1.2.0  2         us-central   alive   server  1.2.0  2         us-central  alive   server  1.2.0  2         us-central  alive   client  1.2.0  2         us-central   
Consul UI
Consul UI

Vault configuration

Step 1: Download Consul
Step 2: Unzip the archive and add to the user path
cp vault /usr/bin/
rm -rf
Step 3: Create a Vault server config file
mkdir /etc/vault
listener "tcp" {
  address          = ""
  cluster_address  = "{vault_ip_address}:8201"
  tls_disable      = "true"

storage "consul" {
  address = ""
  path    = "vault/"

api_addr = "http://{vault_ip_address}:8200"
cluster_addr = "http://{vault_ip_address}:8201"
ui = true 
Step 4: Create a Vault service file
sudo vim /etc/systemd/system/vault.service

Description=Vault secret management tool

ExecStart=/usr/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=debug

Step 5: Start Service with Vault
sudo systemctl daemon-reload
sudo systemctl start vault 

You successfully installed Vault. So now log in to Vault node and execute next commands:

export VAULT_ADDR=http://{vault_ip_address}:8200
vault operator init
export VAULT_TOKEN={vault_token}

After that, you can check Vault UI and unseal Vault. Go to http://{vault_ip}:8200
You should remember secret keys and vault token. It’ll be needed for Unsealing Vault.