I'm trying to understand Consul ACL system and it's looks impossible to create ACL that allow acces to some key only by token with default policy "allow":
user@server01:~$ cat /etc/consul/conf.d/acl.json
{
"acl_datacenter": "dc-example-com",
"acl_master_token": "00000000-1111-2222-3333-444444444444",
"acl_default_policy": "allow",
"acl_down_policy": "allow"
}
I created client rule in ACL Rules:
key "group1/" {
policy = "write"
}
I want consul to enable writings in v1/kv/group1/* only via token I've got by my new rule.
It's to hard just to change default_policy to deny, because it is production.
Looks like, I've found the workaround:
Anonymous token:
key "group1/" {
policy = "deny"
}
acl_group1_allow:
key "group1/" {
policy = "write"
}