2018-05-29 21:07:40 +00:00
---
2020-04-07 18:55:19 +00:00
layout: docs
2022-09-13 20:48:39 +00:00
page_title: Service Mesh Debugging
2020-04-07 18:55:19 +00:00
description: >-
2022-09-16 15:28:32 +00:00
Use the `consul connect proxy` command to connect to services or masquerade as other services for development and debugging purposes. Example code demonstrates connecting to services that are part of the service mesh as listeners only.
2018-05-29 21:07:40 +00:00
---
2022-09-13 20:48:39 +00:00
# Service Mesh Debugging
2018-05-29 21:07:40 +00:00
It is often necessary to connect to a service for development or debugging.
2023-05-05 17:41:40 +00:00
If a service only exposes a service mesh listener, then we need a way to establish
2018-05-29 21:07:40 +00:00
a mutual TLS connection to the service. The
2023-01-25 16:52:43 +00:00
[`consul connect proxy` command](/consul/commands/connect/proxy) can be used
2018-05-29 21:07:40 +00:00
for this task on any machine with access to a Consul agent (local or remote).
2023-05-08 17:30:48 +00:00
Restricting access to services only via service mesh ensures that the only way to
2018-05-29 21:07:40 +00:00
connect to a service is through valid authorization of the
2023-01-25 16:52:43 +00:00
[intentions](/consul/docs/connect/intentions). This can extend to developers
2018-05-29 21:07:40 +00:00
and operators, too.
2023-05-05 17:41:40 +00:00
## Connecting to Mesh-only Services
2018-05-29 21:07:40 +00:00
As an example, let's assume that we have a PostgreSQL database running that
we want to connect to via `psql`, but the only non-loopback listener is
via Connect. Let's also assume that we have an ACL token to identify as
`operator-mitchellh`. We can start a local proxy:
2020-05-19 18:32:38 +00:00
```shell-session
2018-05-29 21:07:40 +00:00
$ consul connect proxy \
-service operator-mitchellh \
-upstream postgresql:8181
```
This works because the source `-service` does not need to be registered
in the local Consul catalog. However, to retrieve a valid identifying
certificate, the ACL token must have `service:write` permissions. This
2020-06-24 12:26:01 +00:00
can be used as a sort of "debug service" to represent people, too. In
2018-05-29 21:07:40 +00:00
the example above, the proxy is identifying as `operator-mitchellh`.
With the proxy running, we can now use `psql` like normal:
2020-05-19 18:32:38 +00:00
```shell-session
2022-01-12 23:05:01 +00:00
$ psql --host=127.0.0.1 --port=8181 --username=mitchellh mydb
2018-05-29 21:07:40 +00:00
>
```
This `psql` session is now happening through our local proxy via an
authorized mutual TLS connection to the PostgreSQL service in our Consul
catalog.
### Masquerading as a Service
You can also easily masquerade as any source service by setting the
`-service` value to any service. Note that the proper ACL permissions are
required to perform this task.
For example, if you have an ACL token that allows `service:write` for
`web` and you want to connect to the `postgresql` service as "web", you
can start a proxy like so:
2020-05-19 18:32:38 +00:00
```shell-session
2018-05-29 21:07:40 +00:00
$ consul connect proxy \
-service web \
-upstream postgresql:8181
```