Key/Value (KV) Store Overview
NoteThe Consul KV API, CLI, and UI are now considered feature complete and no new feature development is planned for future releases.
Consul KV is a core feature of Consul and is installed with the Consul agent. Once installed with the agent, it will have reasonable defaults. Consul KV allows users to store indexed objects, though its main uses are storing configuration parameters and metadata. Please note that it is a simple KV store and is not intended to be a full featured datastore (such as DynamoDB) but has some similarities to one.
The Consul KV datastore is located on the servers, but can be accessed by any agent (client or server). The natively integrated RPC functionality allows clients to forward requests to servers, including key/value reads and writes. Part of Consul's core design allows data to be replicated automatically across all the servers. Having a quorum of servers will decrease the risk of data loss if an outage occurs.
If you have not used Consul KV, complete this Getting Started tutorial on HashiCorp.
The KV store can be accessed by the consul kv CLI subcommands, HTTP API, and Consul UI. To restrict access, enable and configure ACLs. Once the ACL system has been bootstrapped, users and services, will need a valid token with KV privileges to access the data store, this includes even reads. We recommend creating a token with limited privileges, for example, you could create a token with write privileges on one key for developers to update the value related to their application.
Objects are opaque to Consul, meaning there are no restrictions on the type of object stored in a key/value entry. The main restriction on an object is size - the maximum is 512 KB. Due to the maximum object size and main use cases, you should not need extra storage; the general sizing recommendations are usually sufficient.
Keys, like objects are not restricted by type and can include any character.
However, we recommend using URL-safe chars -
[a-zA-Z0-9-._~] with the
/, which can be used to help organize data. Note,
/ will be
treated like any other character and is not fixed to the file system. Meaning,
/ in a key does not fix it to a directory structure. This model is
similar to Amazon S3 buckets. However,
/ is still useful for organizing data
and when recursively searching within the data store. We also recommend that
you avoid the use of
% because they can cause issues when
using the API and in shell scripts.
This feature requires HashiCorp Cloud Platform (HCP) or self-managed Consul Enterprise.
You can also use Sentinel as a Policy-as-code framework for defining advanced key-value storage access control policies. Sentinel policies extend the ACL system in Consul beyond static "read", "write", and "deny" policies to support full conditional logic and integration with external systems. Reference the Sentinel documentation for high-level Sentinel concepts.
If you plan to use Consul KV as part of your configuration management process review the Consul Template tutorial on how to update configuration based on value updates in the KV. Consul Template is based on Go Templates and allows for a series of scripted actions to be initiated on value changes to a Consul key.
Consul KV can also be extended with the use of watches. Watches are a way to monitor data for updates. When an update is detected, an external handler is invoked. To use watches with the KV store the key watch type should be used.
Consul sessions can be used to build distributed locks with Consul KV. Sessions
act as a binding layer between nodes, health checks, and key/value data. The KV
API supports an
release operation. The
acquire operation acts
like a Check-And-Set operation. On success, there is a key update and an
increment to the
LockIndex and the session value is updated to reflect the
session holding the lock. Review the session documentation for more information
on the integration.
If you plan to use Consul KV as a backend for Vault, please review this tutorial.