Skip to content
This repository has been archived by the owner on Jul 27, 2023. It is now read-only.
Chris Aubuchon edited this page Feb 5, 2016 · 5 revisions

Consul /acl endpoint

Subcommand Synopsis
clone Create a new token from an existing one
create Create an ACL. Requires a management token
destroy Destroy an ACL
info Query information about an ACL token
list List all active ACL tokens
update Update an ACL. Will be created if it doesn't exist

clone

API Reference

Create a new ACL token from an existing token. The request is automatically forwarded to the authoritative ACL datacenter so the --datacenter command line option not present.

Basic Usage

Usage: consul-cli acl clone [options] token 

Examples:

$ ./consul-cli acl clone d414c3e6-c498-64fa-5a2e-1a942425a410
9c0ac7d1-9a90-f5be-3b21-bf21e1c2c9b7

create

API Reference

Create a new ACL token with the given policy. A management token must be supplied in CONSUL_HTTP_TOKEN or via --token.

Basic Usage

consul-cli acl create [options]

Command Line Options

  • --management
    When true, create a token that can manage ACLs. Default is false

  • --name
    Opaque to Consul, this should be a meaningful indicator of the ACL's purpose

  • --rule
    Policy rules for the ACL token. See Consul ACL System for details on ACL rules. The rule is of the form type:path:policy where type is one of key or service. The path can be blank which then affects all services or all keys. policy is one of read, write or deny.

Rule examples

--rule='key:test/node:read'

Gives the token read access to the /v1/kv/test/node/ tree

--rule='service:secure-:read'

Gives the token read access to all services prefixed with secure-

Examples

$ ./consul-cli acl create --name='test acl' --rule='key:test/node:deny'
d414c3e6-c498-64fa-5a2e-1a942425a410

$ ./consul-cli kv write --token=d414c3e6-c498-64fa-5a2e-1a942425a410 test/node Testing
Unexpected response code: 403 (Permission denied)

destroy

API Reference

Destroys the given token. A management token must be provided via CONSUL_HTTP_TOKEN or --token

Basic Usage

Usage: consul-cli acl destroy [options] token

Examples

$ ./consul-cli acl destroy d414c3e6-c498-64fa-5a2e-1a942425a410
$

info

API Reference

Queries the policy of a given token. A management token must be provided via CONSUL_HTTP_TOKEN or --token

Basic Usage

Usage: consul-cli acl info [options] token

Examples

$ ./consul-cli acl info d414c3e6-c498-64fa-5a2e-1a942425a410
{
  "CreateIndex": 98,
  "ModifyIndex": 98,
  "ID": "d414c3e6-c498-64fa-5a2e-1a942425a410",
  "Name": "test acl",
  "Type": "client",
  "Rules": "{\"key\":{\"test/node\":{\"Policy\":\"deny\"}}}"
}

list

API Reference

List all of the active tokens. A management token must be provided via CONSUL_HTTP_TOKEN or --token

Basic Usage

Usage: consul-cli acl list [options]

Examples

$ ./consul-cli acl list --token=ccc67226-2462-4804-b944-4d728c7bad03
[
  {
    "CreateIndex": 112,
    "ModifyIndex": 112,
    "ID": "9c0ac7d1-9a90-f5be-3b21-bf21e1c2c9b7",
    "Name": "test acl",
    "Type": "client",
    "Rules": "{\"key\":{\"test/node\":{\"Policy\":\"deny\"}}}"
  },
  {
    "CreateIndex": 3,
    "ModifyIndex": 3,
    "ID": "anonymous",
    "Name": "Anonymous Token",
    "Type": "client",
    "Rules": ""
  },
  {
    "CreateIndex": 98,
    "ModifyIndex": 98,
    "ID": "d414c3e6-c498-64fa-5a2e-1a942425a410",
    "Name": "test acl",
    "Type": "client",
    "Rules": "{\"key\":{\"test/node\":{\"Policy\":\"deny\"}}}"
  }
]

update

API Reference

Updates the policy of a token. A management token must be provided via CONSUL_HTTP_TOKEN or --token

Basic Usage

Usage: consul-cli acl update [options] token

Command Line Options

  • --management
    When true, create a token that can manage ACLs. Default is false

  • --name
    Opaque to Consul, this should be a meaningful indicator of the ACL's purpose

  • --rule
    Policy rules for the ACL token. See Consul ACL System for details on ACL rules. The rule is of the form type:path:policy where type is one of key or service. The path can be blank which then affects all services or all keys. policy is one of read, write or deny.

Rule examples

--rule='key:test/node:read'

Gives the token read access to the /v1/kv/test/node/ tree

--rule='service:secure-:read'

Gives the token read access to all services prefixed with secure-

Examples

$ ./consul-cli acl update --rule='key:test/node:deny' \
    --rule='key:test/node/insecure:write' 9c0ac7d1-9a90-f5be-3b21-bf21e1c2c9b7

$ ./consul-cli kv write --token=9c0ac7d1-9a90-f5be-3b21-bf21e1c2c9b7 test/node/insecure Testing

$ ./consul-cli kv read --token=9c0ac7d1-9a90-f5be-3b21-bf21e1c2c9b7 test/node/insecure 
Testing
Clone this wiki locally