Introduction
Consul uses Access Control Lists (ACLs) to secure the UI, API, CLI, service communications, and agent communications. When securing your cluster you should configure the ACLs first. At the core, ACLs operate by grouping rules into policies, then associating one or more policies with a token. The following guide aims to provide policies to serve as a template for frequently utilized components and features of Consul.
Agent Policy
node_prefix "" { policy = "write" } service_prefix "" { policy = "read" }
Snapshot Agent Policy
# used for snapshot agent leader election key_prefix "" { policy = "write" } # used for registering the snapshot agent service service_prefix "" { policy = "write" } # used for snapshot agent leader election session_prefix "" { policy = "write" } # used for registering the snapshot agent node node_prefix "" { policy = "write" } acl = "write"
External Service Monitor (ESM)
agent_prefix "" { policy = "read" } key_prefix "consul-esm/" { policy = "write" } node_prefix "" { policy = "write" } service_prefix "" { policy = "write" } session_prefix "" { policy = "write" }
operator = "read"
Replication Policy (Multiple Datacenters)
Consul OSS
acl = "write" operator = "write" service_prefix "" { policy = "read" intentions = "read" }
Consul Enterprise
acl = "write"
operator = "write"
service_prefix "" {
policy = "read"
intentions = "read"
}
namespace_prefix "" {
acl = "write"
service_prefix "" {
policy = "read"
intentions = "read"
}
}
Recommendation
The above policies are meant to be used a template only and it does not include environment specific recommendations. For example, using an exact match resource rule, is the most secure. It grants the least privileges necessary to accomplish the intended tasks. Generally, creating policies and tokens with the least privileges will result in more policy definitions. Alternatively, for a simplified process, the prefix resources rules can apply to zero-to-many objects. The trade-off of a less complicated token creation process is wider potential blast radius on token or workload compromise. It is recommended to review the Manage ACL Polices document listed in the Additional Information section of this article for more detailed information and modify the policies per your organization’s security guidelines and policies.
Additional Information
The following documents contain detailed information on Consul ACL configuration.