HashiCorp Consul
HashiCorpother5 credentials
Unauthenticated HTTP/DNS/Service Discovery Access
consul / unauthenticated-default
Consul ACL enforcement is disabled until ACLs are enabled and bootstrapped. In ACL-disabled deployments, HTTP API, DNS, service catalog, health, and KV access can be available without an ACL token depending on listener exposure.
Unauthenticated access
open defaultno authentication required- username
- none
- password
- none
Location
Consul HTTP API :8500, DNS :8600, gRPC/API listenersConsul service discovery, catalog, health, KV, and agent endpoints when ACLs are disabled
/etc/consul.d/*.hcl, consul.hclacl.enabled, default_policy, tokens, addresses, ports, and bind/client_addr settings control no-auth exposure
Consul agent startup logs and ACL bootstrap/status output
Notes
This represents no ACL token requirement, not a credential value. Impact depends on whether ACLs are enabled, default policy, bind/client addresses, mesh exposure, and network filtering.
Consul ACL Token
consul / acl-token
Consul ACL tokens authorize service discovery, KV, intentions, service mesh, and administrative operations. Bootstrap and management tokens are especially sensitive.
Looks like
pattern^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$Location
X-Consul-TokenConsul HTTP API ACL token header
/etc/consul.d/*.hcl, consul.hclagent tokens, default tokens, replication tokens, and ACL configuration
CONSUL_HTTP_TOKEN, CONSUL_HTTP_AUTHVault, Kubernetes Secrets, Nomad variables, and CI/CD secret stores
Terraform providers, deployment repos, Helm values, and integration tests
agent logs, API traces, and bootstrap command output
Gossip Encryption Key
consul / gossip-encryption-key
Consul agents can use a shared gossip encryption key to protect LAN/WAN gossip traffic. The key is a cluster-wide secret distributed to agents.
Looks like
pattern^[A-Za-z0-9+/]{32,}={0,2}$Location
/etc/consul.d/*.hclencrypt setting and keyring material
CONSUL_ENCRYPTKubernetes Secrets, Vault, Nomad variables, and configuration vaults
cluster bootstrap scripts and IaC modules
agent startup logs and debug output
TLS Certificate / Private Key
consul / tls-cert-and-private-key
Consul can use TLS for RPC, HTTPS API, and mTLS between agents. Private keys and CA material authenticate agents and clients.
Looks like
pattern-----BEGIN (RSA |EC |ENCRYPTED |)PRIVATE KEY-----Location
/etc/consul.d/, /opt/consul/tls/TLS cert_file, key_file, ca_file, and auto-encrypt settings
Vault PKI, Kubernetes Secrets, and certificate stores
cluster backups, support bundles, and exported CA material
Service Mesh, KV, and Integration Secrets
consul / service-mesh-and-integration-secrets
Consul deployments may store service mesh certificates, Connect CA keys, Consul KV secrets, cloud auto-join credentials, and integration tokens.
Location
Consul state store, KV entries, ACL policies, and Connect CA state
agent configs, service definitions, cloud auto-join settings, and sync integrations
Vault, Kubernetes Secrets, and external secret stores
Connect, ACL, federation, and sync logs
Scope
Authorized use
LOLCreds helps map the credential surface of real products: known defaults, generated values, credential locations, and exposure patterns.