How to create consul ACL that allow access to kv-group only by token?

Question

I'm trying to understand Consul ACL system and it's looks impossible to create ACL that allow acces to some key only by token with default policy "allow":

user@server01:~$ cat /etc/consul/conf.d/acl.json 
{
  "acl_datacenter": "dc-example-com",
  "acl_master_token": "00000000-1111-2222-3333-444444444444",
  "acl_default_policy": "allow",
  "acl_down_policy": "allow"
}

I created client rule in ACL Rules:

key "group1/" {
  policy = "write"
}

I want consul to enable writings in v1/kv/group1/* only via token I've got by my new rule.

It's to hard just to change default_policy to deny, because it is production.

Sergio · Accepted Answer · 2018-02-27T16:27:14.160

0

Looks like, I've found the workaround:

Anonymous token:
key "group1/" {
    policy = "deny"
}

acl_group1_allow:
    key "group1/" {
        policy = "write"
    }

edited Feb 27 '18 at 16:27

answered Feb 27 '18 at 16:19

Sergio

823
1
10
24

How to create consul ACL that allow access to kv-group only by token?

1 Answers1