Difficulty: beginner
Estimated Time: 10 minutes


A modern system requires access to a multitude of secrets: database credentials, API keys for external services, credentials for service-oriented architecture communication, etc. Vault steps in to provide a centralized secret management system. The next step is to decide how your applications acquire the secrets from Vault.

This guide introduces Consul Template and Envconsul to help you determine if these tools speed up the integration of your applications once secrets are securely managed by Vault.

Consul Template

A stand-alone application that renders data from Consul and Vault onto the target file system. Despite its name, Consul Template does not require a Consul cluster to operate.

Consul Template retrieves secrets from Vault:

  • Manages the acquisition and renewal lifecycle
  • Requires a valid Vault token to operate


Envconsul launches a subprocess with environment variables populated from Consul and Vault. Environment variables are dynamically populated, and applications read those environment variables.


  • Envconsul does not require a Consul cluster to operate
  • Envconsul enables flexibility and portability for applications across systems

NOTE: Both Consul Template and Envconsul are open source tools.

This scenario gave you a quick introduction to leverage Consul Template and Envconsul.


Vault - Direct App Integration

Step 1 of 4

Getting Started

Enter the following command to start the Vault server in development mode.

Click on the command () will automatically copy it into the terminal and execute it.

vault server -dev -dev-root-token-id="root"

Scroll up the Terminal to locate the following output:

==> Vault server configuration:

             Api Address:
                     Cgo: disabled
         Cluster Address:
              Listener 1: tcp (addr: "", cluster address: "", tls: "disabled")
               Log Level: info
                   Mlock: supported: true, enabled: false
                 Storage: inmem
                 Version: Vault v1.0.0
             Version Sha: c19cef14891751a23eaa9b41fd456d1f99e7e856

WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.

When Vault is running in development mode, it runs entirely in-memory that the data does not get persisted. This build-in, pre-configured server is useful for local development, testing and exploration.

Login with root token

Click the + next to the opened Terminal, and select Open New Terminal.

New Terminal

In the Terminal 2, set the VAULT_ADDR environment variable:

export VAULT_ADDR=''

Login with the generated root token.

vault login root

Now, you are logged in as a root and ready to play!