Consul's ACL (Access Control List) system provides fine-grained access control, ensuring that only authorized users and services can access Consul resources.
ACL System Overview
Consul ACL is a token-based access control system with the following core concepts:
- Token: Key used for authentication
- Policy: Set of rules defining access permissions
- Role: Collection of policies for easier management
- Auth Method: External system integration method
- Binding: Association between policies and tokens
ACL Configuration
Enable ACL
# consul.hcl acl = { enabled = true default_policy = "deny" # Default deny all access down_policy = "extend-cache" # Policy when Server unavailable enable_token_persistence = true }
Configuration Parameters
- enabled: Whether to enable ACL
- default_policy: Default policy (deny, read, write)
- down_policy: Policy when Server unavailable (extend-cache, deny, allow)
- enable_token_persistence: Whether to persist tokens
Token Management
Token Types
- Management Token: Has all permissions, similar to root user
- Client Token: Token used by regular services
- Anonymous Token: Default token when no token provided
Create Management Token
# Create at startup consul acl bootstrap # Output example Accessor ID: 00000000-0000-0000-0000-000000000001 Secret ID: 5e4b6e3c-8b7a-4c2d-9e5f-1a2b3c4d5e6f
Create Client Token
# Create policy consul acl policy create -name web-service -rules @web-service.hcl # Create token consul acl token create -description "Web Service Token" -policy-name web-service
Policy
Policy Syntax
# Policy file example # web-service.hcl service_prefix "web" { policy = "write" } service_prefix "" { policy = "read" } key_prefix "config/web" { policy = "write" } node_prefix "" { policy = "read" }
Policy Rule Types
Service Rules
# Specific service service "web" { policy = "write" } # Service prefix service_prefix "web" { policy = "write" } # All services service_prefix "" { policy = "read" }
KV Rules
# Specific key key "config/web/database" { policy = "write" } # Key prefix key_prefix "config/web" { policy = "write" } # All keys key_prefix "" { policy = "read" }
Node Rules
# Specific node node "node1" { policy = "write" } # Node prefix node_prefix "web" { policy = "write" } # All nodes node_prefix "" { policy = "read" }
Agent Rules
agent_prefix "" { policy = "read" } agent "node1" { policy = "write" }
Policy Permission Levels
- deny: Deny access
- read: Read-only access
- write: Read and write access
Role
Create Role
# Create role consul acl role create -name web-admin -description "Web Service Admin" # Add policy to role consul acl role update -name web-admin -policy-name web-service
Create Token Using Role
# Create token using role consul acl token create -description "Web Admin Token" -role-name web-admin
Auth Method
Kubernetes Authentication
# Create Kubernetes auth method consul acl auth-method create -name kubernetes -type kubernetes \ -config @k8s-config.json
// k8s-config.json { "Host": "https://kubernetes.default.svc", "CACert": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----", "ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." }
JWT Authentication
# Create JWT auth method consul acl auth-method create -name jwt -type jwt \ -config @jwt-config.json
// jwt-config.json { "BoundAudiences": ["consul"], "ClaimMappings": { "sub": "Name" }, "JWTValidationPubKeys": ["-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"] }
Token Usage
Configure Agent Token
# consul.hcl acl = { enabled = true tokens = { master = "5e4b6e3c-8b7a-4c2d-9e5f-1a2b3c4d5e6f" agent = "7f5c7d4d-9c8b-5d3e-0f6g-2b3c4d5e6f7g" default = "8g6d8e5e-0d9c-6e4f-1g7h-3c4d5e6f7g8h" } }
API Usage with Token
# Query service using token curl -H "X-Consul-Token: 5e4b6e3c-8b7a-4c2d-9e5f-1a2b3c4d5e6f" \ http://localhost:8500/v1/catalog/services # Register service using token curl -X PUT -H "X-Consul-Token: 5e4b6e3c-8b7a-4c2d-9e5f-1a2b3c4d5e6f" \ -d '{"ID": "web1", "Name": "web", "Port": 8080}' \ http://localhost:8500/v1/agent/service/register
Environment Variables
# Set environment variable export CONSUL_HTTP_TOKEN=5e4b6e3c-8b7a-4c2d-9e5f-1a2b3c4d5e6f # Use environment variable consul catalog services
Best Practices
1. Principle of Least Privilege
# Only grant necessary permissions service "web" { policy = "write" } key_prefix "config/web" { policy = "read" }
2. Use Role Management
# Create different role policies consul acl role create -name read-only consul acl role create -name write-only consul acl role create -name admin
3. Regular Token Rotation
# Create new token consul acl token create -policy-name web-service # Update application configuration to use new token # Delete old token consul acl token delete -id <old-token-id>
4. Use ACL Replication
# Configure ACL replication acl = { enabled = true tokens = { replication = "5e4b6e3c-8b7a-4c2d-9e5f-1a2b3c4d5e6f" } }
Monitoring and Auditing
Audit Logs
# Enable audit logs audit { enabled = true sink "file" { path = "/var/log/consul/audit.log" format = "json" } }
Monitor ACL Metrics
# View ACL related metrics curl http://localhost:8500/v1/agent/metrics | grep acl
Troubleshooting
Common Issues
- Permission Denied: Check token permissions
- Token Expired: Update token
- ACL Not Enabled: Check configuration
Debug Commands
# Verify token permissions consul acl token read -accessor <accessor-id> # Test policy consul acl policy read -name web-service
Consul ACL provides powerful access control capabilities and is an important component for securing Consul clusters. Proper ACL configuration can effectively prevent unauthorized access and data leakage.