aclconsulconsul-kv

How to create consul ACL that allow access to kv-group only by token?


I'm trying to understand Consul ACL system and it's looks impossible to create ACL that allow acces to some key only by token with default policy "allow":

user@server01:~$ cat /etc/consul/conf.d/acl.json 
{
  "acl_datacenter": "dc-example-com",
  "acl_master_token": "00000000-1111-2222-3333-444444444444",
  "acl_default_policy": "allow",
  "acl_down_policy": "allow"
}

I created client rule in ACL Rules:

key "group1/" {
  policy = "write"
}

I want consul to enable writings in v1/kv/group1/* only via token I've got by my new rule.

It's to hard just to change default_policy to deny, because it is production.


Solution

  • Looks like, I've found the workaround:

    Anonymous token:
    key "group1/" {
        policy = "deny"
    }
    
    acl_group1_allow:
        key "group1/" {
            policy = "write"
        }