policyconsulvault

can we use wildcard in consul policy for node or service

I am trying to setup a consul backed vault cluster. My consul cluster is working fine however when I am setting up my vault consul agent, I need to give an agent token with policy to have write access on node.

Basically, I want that my vault consul agents should be able to register nodes with name starting only with "vault-".

For this I tried policy below

agent_prefix "" {
  policy = "write"
}
node "vault-*" {
  policy = "write"
}
node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}
session_prefix "" {
  policy = "read"
}

And in my consul config I gave node_name=vault-0/1/2

I tried using a wildcard in my policy for write access for a specific node name and read for all, I am getting below error:

agent: Coordinate update blocked by ACLs: accessorID=3db5e2e7-3264-50a9-c8f1-a5c955c5bec0

Actually I want that my agents should be able to register their nodes with specific names only to identify them. And for each service there will be separate agent token with specific policy.

Solution

  • Consul's ACL system supports defining two types of rules; prefix-based rules, and exact matching rules. Per https://www.consul.io/docs/security/acl/acl-rules#rule-specification,

    When using prefix-based rules, the most specific prefix match determines the action. This allows for flexible rules like an empty prefix to allow read-only access to all resources, along with some specific prefixes that allow write access or that are denied all access. Exact matching rules will only apply to the exact resource specified.

    When creating a token for the Consul agents which are co-located with the Vault servers, you can use the following policy.

    ## consul-agent-policy.hcl

# Allow the agent write access to agent APIs on nodes starting with the name 'vault-'.
agent_prefix "vault-" {
  policy = "write"
}

# Allow registering a node into the catalog if the name starts with 'vault-'
node_prefix "vault-" {
  policy = "write"
}

# Allow the node to resolve any service in the datacenter
service_prefix "" {
  policy = "read"
}

    You should not need node:read or session:read privileges for the Consul agents, so I have removed those from the example policy.

    In Consul 1.8.1+ you can simplify this further by using node identities which eliminates the need to create node-specific ACL policies if you want to lock down the token's policy so that it can only register a specific name (e.g., vault-01).

    $ consul acl token create -node-identity=vault-01:dc1