mirror of https://github.com/status-im/consul.git
docs: add documentation for all secure acl introduction work (#5640)
This commit is contained in:
parent
e31c285565
commit
c649243f7c
|
@ -35,11 +35,11 @@ Usage: consul acl <subcommand> [options] [args]
|
||||||
|
|
||||||
$ consul acl bootstrap
|
$ consul acl bootstrap
|
||||||
|
|
||||||
List all ACL Tokens:
|
List all ACL tokens:
|
||||||
|
|
||||||
$ consul acl token list
|
$ consul acl token list
|
||||||
|
|
||||||
Create a new ACL Policy:
|
Create a new ACL policy:
|
||||||
|
|
||||||
$ consul acl policy create -name "new-policy" \
|
$ consul acl policy create -name "new-policy" \
|
||||||
-description "This is an example policy" \
|
-description "This is an example policy" \
|
||||||
|
|
|
@ -23,11 +23,11 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(help, nil)
|
return flags.Usage(help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Manage Consul's ACL Auth Methods"
|
const synopsis = "Manage Consul's ACL auth methods"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl auth-method <subcommand> [options] [args]
|
Usage: consul acl auth-method <subcommand> [options] [args]
|
||||||
|
|
||||||
This command has subcommands for managing Consul's ACL Auth Methods.
|
This command has subcommands for managing Consul's ACL auth methods.
|
||||||
Here are some simple examples, and more detailed examples are available in
|
Here are some simple examples, and more detailed examples are available in
|
||||||
the subcommands or the documentation.
|
the subcommands or the documentation.
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that auth method metadata such "+
|
"Indicates that auth method metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -86,7 +86,7 @@ func (c *cmd) init() {
|
||||||
&c.k8sServiceAccountJWT,
|
&c.k8sServiceAccountJWT,
|
||||||
"kubernetes-service-account-jwt",
|
"kubernetes-service-account-jwt",
|
||||||
"",
|
"",
|
||||||
"A kubernetes service account JWT used to access the TokenReview API to "+
|
"A Kubernetes service account JWT used to access the TokenReview API to "+
|
||||||
"validate other JWTs during login. "+
|
"validate other JWTs during login. "+
|
||||||
"This flag is required for type=kubernetes.",
|
"This flag is required for type=kubernetes.",
|
||||||
)
|
)
|
||||||
|
@ -170,7 +170,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Create an ACL Auth Method"
|
const synopsis = "Create an ACL auth method"
|
||||||
|
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl auth-method create -name NAME -type TYPE [options]
|
Usage: consul acl auth-method create -name NAME -type TYPE [options]
|
||||||
|
|
|
@ -72,7 +72,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Delete an ACL Auth Method"
|
const synopsis = "Delete an ACL auth method"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl auth-method delete -name NAME [options]
|
Usage: consul acl auth-method delete -name NAME [options]
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that auth method metadata such "+
|
"Indicates that auth method metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.http = &flags.HTTPFlags{}
|
c.http = &flags.HTTPFlags{}
|
||||||
|
@ -73,7 +73,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Lists ACL Auth Methods"
|
const synopsis = "Lists ACL auth methods"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl auth-method list [options]
|
Usage: consul acl auth-method list [options]
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that auth method metadata such "+
|
"Indicates that auth method metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -86,7 +86,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Read an ACL Auth Method"
|
const synopsis = "Read an ACL auth method"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl auth-method read -name NAME [options]
|
Usage: consul acl auth-method read -name NAME [options]
|
||||||
|
|
||||||
|
|
|
@ -46,7 +46,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that auth method metadata such "+
|
"Indicates that auth method metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -82,7 +82,7 @@ func (c *cmd) init() {
|
||||||
&c.k8sServiceAccountJWT,
|
&c.k8sServiceAccountJWT,
|
||||||
"kubernetes-service-account-jwt",
|
"kubernetes-service-account-jwt",
|
||||||
"",
|
"",
|
||||||
"A kubernetes service account JWT used to access the TokenReview API to "+
|
"A Kubernetes service account JWT used to access the TokenReview API to "+
|
||||||
"validate other JWTs during login. "+
|
"validate other JWTs during login. "+
|
||||||
"This flag is required for type=kubernetes.",
|
"This flag is required for type=kubernetes.",
|
||||||
)
|
)
|
||||||
|
@ -202,7 +202,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Update an ACL Auth Method"
|
const synopsis = "Update an ACL auth method"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl auth-method update -name NAME [options]
|
Usage: consul acl auth-method update -name NAME [options]
|
||||||
|
|
||||||
|
|
|
@ -23,11 +23,11 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(help, nil)
|
return flags.Usage(help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Manage Consul's ACL Binding Rules"
|
const synopsis = "Manage Consul's ACL binding rules"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl binding-rule <subcommand> [options] [args]
|
Usage: consul acl binding-rule <subcommand> [options] [args]
|
||||||
|
|
||||||
This command has subcommands for managing Consul's ACL Binding Rules. Here
|
This command has subcommands for managing Consul's ACL binding rules. Here
|
||||||
are some simple examples, and more detailed examples are available in the
|
are some simple examples, and more detailed examples are available in the
|
||||||
subcommands or the documentation.
|
subcommands or the documentation.
|
||||||
|
|
||||||
|
|
|
@ -39,7 +39,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that binding rule metadata such "+
|
"Indicates that binding rule metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -133,7 +133,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Create an ACL Binding Rule"
|
const synopsis = "Create an ACL binding rule"
|
||||||
|
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl binding-rule create [options]
|
Usage: consul acl binding-rule create [options]
|
||||||
|
|
|
@ -81,7 +81,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Delete an ACL Binding Rule"
|
const synopsis = "Delete an ACL binding rule"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl binding-rule delete -id ID [options]
|
Usage: consul acl binding-rule delete -id ID [options]
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that binding rule metadata such "+
|
"Indicates that binding rule metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -82,7 +82,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Lists ACL Binding Rules"
|
const synopsis = "Lists ACL binding rules"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl binding-rule list [options]
|
Usage: consul acl binding-rule list [options]
|
||||||
|
|
||||||
|
|
|
@ -34,7 +34,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that binding rule metadata such "+
|
"Indicates that binding rule metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -95,7 +95,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Read an ACL Binding Rule"
|
const synopsis = "Read an ACL binding rule"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl binding-rule read -id ID [options]
|
Usage: consul acl binding-rule read -id ID [options]
|
||||||
|
|
||||||
|
|
|
@ -40,7 +40,7 @@ func (c *cmd) init() {
|
||||||
"meta",
|
"meta",
|
||||||
false,
|
false,
|
||||||
"Indicates that binding rule metadata such "+
|
"Indicates that binding rule metadata such "+
|
||||||
"as the content hash and raft indices should be shown for each entry.",
|
"as the raft indices should be shown for each entry.",
|
||||||
)
|
)
|
||||||
|
|
||||||
c.flags.StringVar(
|
c.flags.StringVar(
|
||||||
|
@ -193,7 +193,7 @@ func isFlagSet(flags *flag.FlagSet, name string) bool {
|
||||||
return found
|
return found
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Update an ACL Binding Rule"
|
const synopsis = "Update an ACL binding rule"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl binding-rule update -id ID [options]
|
Usage: consul acl binding-rule update -id ID [options]
|
||||||
|
|
||||||
|
|
|
@ -131,7 +131,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Create an ACL Policy"
|
const synopsis = "Create an ACL policy"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl policy create -name NAME [options]
|
Usage: consul acl policy create -name NAME [options]
|
||||||
|
|
||||||
|
@ -151,6 +151,6 @@ Usage: consul acl policy create -name NAME [options]
|
||||||
Creation a policy from a legacy token:
|
Creation a policy from a legacy token:
|
||||||
|
|
||||||
$ consul acl policy create -name "legacy-policy" \
|
$ consul acl policy create -name "legacy-policy" \
|
||||||
-description "Token Converted to Policy" \
|
-description "Token Converted to policy" \
|
||||||
-from-token "c1e34113-e7ab-4451-b1a6-336ddcc58fc6"
|
-from-token "c1e34113-e7ab-4451-b1a6-336ddcc58fc6"
|
||||||
`
|
`
|
||||||
|
|
|
@ -81,7 +81,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Delete an ACL Policy"
|
const synopsis = "Delete an ACL policy"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl policy delete [options] -id POLICY
|
Usage: consul acl policy delete [options] -id POLICY
|
||||||
|
|
||||||
|
|
|
@ -67,7 +67,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Lists ACL Policies"
|
const synopsis = "Lists ACL policies"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl policy list [options]
|
Usage: consul acl policy list [options]
|
||||||
|
|
||||||
|
|
|
@ -23,15 +23,15 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(help, nil)
|
return flags.Usage(help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Manage Consul's ACL Policies"
|
const synopsis = "Manage Consul's ACL policies"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl policy <subcommand> [options] [args]
|
Usage: consul acl policy <subcommand> [options] [args]
|
||||||
|
|
||||||
This command has subcommands for managing Consul's ACL Policies.
|
This command has subcommands for managing Consul's ACL policies.
|
||||||
Here are some simple examples, and more detailed examples are available
|
Here are some simple examples, and more detailed examples are available
|
||||||
in the subcommands or the documentation.
|
in the subcommands or the documentation.
|
||||||
|
|
||||||
Create a new ACL Policy:
|
Create a new ACL policy:
|
||||||
|
|
||||||
$ consul acl policy create -name "new-policy" \
|
$ consul acl policy create -name "new-policy" \
|
||||||
-description "This is an example policy" \
|
-description "This is an example policy" \
|
||||||
|
|
|
@ -84,7 +84,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Read an ACL Policy"
|
const synopsis = "Read an ACL policy"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl policy read [options] POLICY
|
Usage: consul acl policy read [options] POLICY
|
||||||
|
|
||||||
|
|
|
@ -159,7 +159,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Update an ACL Policy"
|
const synopsis = "Update an ACL policy"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl policy update [options]
|
Usage: consul acl policy update [options]
|
||||||
|
|
||||||
|
@ -167,7 +167,7 @@ Usage: consul acl policy update [options]
|
||||||
current state so that you do not have to provide all parameters. This
|
current state so that you do not have to provide all parameters. This
|
||||||
behavior can be disabled by passing -no-merge.
|
behavior can be disabled by passing -no-merge.
|
||||||
|
|
||||||
Rename the Policy:
|
Rename the policy:
|
||||||
|
|
||||||
$ consul acl policy update -id abcd -name "better-name"
|
$ consul acl policy update -id abcd -name "better-name"
|
||||||
|
|
||||||
|
|
|
@ -118,7 +118,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Create an ACL Role"
|
const synopsis = "Create an ACL role"
|
||||||
|
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl role create -name NAME [options]
|
Usage: consul acl role create -name NAME [options]
|
||||||
|
|
|
@ -81,7 +81,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Delete an ACL Role"
|
const synopsis = "Delete an ACL role"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl role delete [options] -id ROLE
|
Usage: consul acl role delete [options] -id ROLE
|
||||||
|
|
||||||
|
|
|
@ -67,7 +67,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Lists ACL Roles"
|
const synopsis = "Lists ACL roles"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl role list [options]
|
Usage: consul acl role list [options]
|
||||||
|
|
||||||
|
|
|
@ -97,7 +97,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Read an ACL Role"
|
const synopsis = "Read an ACL role"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl role read [options] ROLE
|
Usage: consul acl role read [options] ROLE
|
||||||
|
|
||||||
|
|
|
@ -23,15 +23,15 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(help, nil)
|
return flags.Usage(help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Manage Consul's ACL Roles"
|
const synopsis = "Manage Consul's ACL roles"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl role <subcommand> [options] [args]
|
Usage: consul acl role <subcommand> [options] [args]
|
||||||
|
|
||||||
This command has subcommands for managing Consul's ACL Roles.
|
This command has subcommands for managing Consul's ACL roles.
|
||||||
Here are some simple examples, and more detailed examples are available
|
Here are some simple examples, and more detailed examples are available
|
||||||
in the subcommands or the documentation.
|
in the subcommands or the documentation.
|
||||||
|
|
||||||
Create a new ACL Role:
|
Create a new ACL role:
|
||||||
|
|
||||||
$ consul acl role create -name "new-role" \
|
$ consul acl role create -name "new-role" \
|
||||||
-description "This is an example role" \
|
-description "This is an example role" \
|
||||||
|
|
|
@ -203,7 +203,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Update an ACL Role"
|
const synopsis = "Update an ACL role"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl role update [options]
|
Usage: consul acl role update [options]
|
||||||
|
|
||||||
|
@ -211,7 +211,7 @@ Usage: consul acl role update [options]
|
||||||
current state so that you do not have to provide all parameters. This
|
current state so that you do not have to provide all parameters. This
|
||||||
behavior can be disabled by passing -no-merge.
|
behavior can be disabled by passing -no-merge.
|
||||||
|
|
||||||
Rename the Role:
|
Rename the role:
|
||||||
|
|
||||||
$ consul acl role update -id abcd -name "better-name"
|
$ consul acl role update -id abcd -name "better-name"
|
||||||
|
|
||||||
|
|
|
@ -79,7 +79,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Clone an ACL Token"
|
const synopsis = "Clone an ACL token"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token clone [options]
|
Usage: consul acl token clone [options]
|
||||||
|
|
||||||
|
|
|
@ -148,7 +148,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Create an ACL Token"
|
const synopsis = "Create an ACL token"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token create [options]
|
Usage: consul acl token create [options]
|
||||||
|
|
||||||
|
|
|
@ -75,7 +75,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Delete an ACL Token"
|
const synopsis = "Delete an ACL token"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token delete [options] -id TOKEN
|
Usage: consul acl token delete [options] -id TOKEN
|
||||||
|
|
||||||
|
|
|
@ -72,11 +72,11 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "List ACL Tokens"
|
const synopsis = "List ACL tokens"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token list [options]
|
Usage: consul acl token list [options]
|
||||||
|
|
||||||
List all the ALC tokens
|
List all the ACL tokens
|
||||||
|
|
||||||
$ consul acl token list
|
$ consul acl token list
|
||||||
`
|
`
|
||||||
|
|
|
@ -91,7 +91,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Read an ACL Token"
|
const synopsis = "Read an ACL token"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token read [options] -id TOKENID
|
Usage: consul acl token read [options] -id TOKENID
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(help, nil)
|
return flags.Usage(help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Manage Consul's ACL Tokens"
|
const synopsis = "Manage Consul's ACL tokens"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token <subcommand> [options] [args]
|
Usage: consul acl token <subcommand> [options] [args]
|
||||||
|
|
||||||
|
@ -31,7 +31,7 @@ Usage: consul acl token <subcommand> [options] [args]
|
||||||
Here are some simple examples, and more detailed examples are available
|
Here are some simple examples, and more detailed examples are available
|
||||||
in the subcommands or the documentation.
|
in the subcommands or the documentation.
|
||||||
|
|
||||||
Create a new ACL Token:
|
Create a new ACL token:
|
||||||
|
|
||||||
$ consul acl token create \
|
$ consul acl token create \
|
||||||
-description "This is an example token" \
|
-description "This is an example token" \
|
||||||
|
|
|
@ -278,7 +278,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Update an ACL Token"
|
const synopsis = "Update an ACL token"
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul acl token update [options]
|
Usage: consul acl token update [options]
|
||||||
|
|
||||||
|
|
|
@ -136,13 +136,13 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Login to Consul using an Auth Method"
|
const synopsis = "Login to Consul using an auth method"
|
||||||
|
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul login [options]
|
Usage: consul login [options]
|
||||||
|
|
||||||
The login command will exchange the provided third party credentials with the
|
The login command will exchange the provided third party credentials with the
|
||||||
requested auth method for a newly minted Consul ACL Token. The companion
|
requested auth method for a newly minted Consul ACL token. The companion
|
||||||
command 'consul logout' should be used to destroy any tokens created this way
|
command 'consul logout' should be used to destroy any tokens created this way
|
||||||
to avoid a resource leak.
|
to avoid a resource leak.
|
||||||
`
|
`
|
||||||
|
|
|
@ -60,7 +60,7 @@ func (c *cmd) Help() string {
|
||||||
return flags.Usage(c.help, nil)
|
return flags.Usage(c.help, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
const synopsis = "Destroy a Consul Token created with Login"
|
const synopsis = "Destroy a Consul token created with login"
|
||||||
|
|
||||||
const help = `
|
const help = `
|
||||||
Usage: consul logout [options]
|
Usage: consul logout [options]
|
||||||
|
|
|
@ -0,0 +1,3 @@
|
||||||
|
The files in this directory are source material for files in the source/assets directory.
|
||||||
|
|
||||||
|
Files that end in *.fig are usable in: https://www.figma.com
|
Binary file not shown.
|
@ -41,7 +41,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
--request PUT \
|
--request PUT \
|
||||||
http://127.0.0.1:8500/v1/acl/bootstrap
|
http://127.0.0.1:8500/v1/acl/bootstrap
|
||||||
|
@ -106,7 +106,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
--request PUT \
|
--request PUT \
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
|
@ -158,7 +158,7 @@ required.
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
--request PUT \
|
--request PUT \
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
|
@ -200,7 +200,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
--request PUT \
|
--request PUT \
|
||||||
http://127.0.0.1:8500/v1/acl/destroy/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
http://127.0.0.1:8500/v1/acl/destroy/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
||||||
|
@ -240,7 +240,7 @@ Note: No ACL is required because the ACL is specified in the URL path.
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
http://127.0.0.1:8500/v1/acl/info/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
http://127.0.0.1:8500/v1/acl/info/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
||||||
```
|
```
|
||||||
|
@ -287,7 +287,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
--request PUT \
|
--request PUT \
|
||||||
http://127.0.0.1:8500/v1/acl/clone/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
http://127.0.0.1:8500/v1/acl/clone/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
||||||
|
@ -321,7 +321,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
http://127.0.0.1:8500/v1/acl/list
|
http://127.0.0.1:8500/v1/acl/list
|
||||||
```
|
```
|
||||||
|
@ -372,7 +372,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl \
|
||||||
http://127.0.0.1:8500/v1/acl/replication
|
http://127.0.0.1:8500/v1/acl/replication
|
||||||
```
|
```
|
||||||
|
|
|
@ -12,7 +12,8 @@ description: |-
|
||||||
|
|
||||||
The `/acl` endpoints are used to manage ACL tokens and policies in Consul, [bootstrap the ACL system](#bootstrap-acls), [check ACL replication status](#check-acl-replication), and [translate rules](#translate-rules). There are additional pages for managing [tokens](/api/acl/tokens.html) and [policies](/api/acl/policies.html) with the `/acl` endpoints.
|
The `/acl` endpoints are used to manage ACL tokens and policies in Consul, [bootstrap the ACL system](#bootstrap-acls), [check ACL replication status](#check-acl-replication), and [translate rules](#translate-rules). There are additional pages for managing [tokens](/api/acl/tokens.html) and [policies](/api/acl/policies.html) with the `/acl` endpoints.
|
||||||
|
|
||||||
For more information about ACLs, please see the [ACL Guide](/docs/guides/acl.html).
|
For more information on how to setup ACLs, please see
|
||||||
|
the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls).
|
||||||
|
|
||||||
## Bootstrap ACLs
|
## Bootstrap ACLs
|
||||||
|
|
||||||
|
@ -263,3 +264,112 @@ agent_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Login to Auth Method
|
||||||
|
|
||||||
|
This endpoint was added in Consul 1.5.0 and is used to exchange an [auth
|
||||||
|
method](/docs/acl/acl-auth-methods.html) bearer token for a newly-created
|
||||||
|
Consul ACL token.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `POST` | `/acl/login` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `none` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `AuthMethod` `(string: <required>)` - The name of the auth method to use for login.
|
||||||
|
|
||||||
|
- `BearerToken` `(string: <required>)` - The bearer token to present to the
|
||||||
|
auth method during login for authentication purposes. For the Kubernetes auth
|
||||||
|
method this is a [Service Account Token
|
||||||
|
(JWT)](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#service-account-tokens).
|
||||||
|
|
||||||
|
- `Meta` `(map<string|string>: nil)` - Specifies arbitrary KV metadata
|
||||||
|
linked to the token. Can be useful to track origins.
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"AuthMethod": "minikube",
|
||||||
|
"BearerToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl \
|
||||||
|
--request POST \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/login
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"AccessorID": "926e2bd2-b344-d91b-0c83-ae89f372cd9b",
|
||||||
|
"SecretID": "b78d37c7-0ca7-5f4d-99ee-6d9975ce4586",
|
||||||
|
"Description": "token created via login",
|
||||||
|
"Roles": [
|
||||||
|
{
|
||||||
|
"ID": "3356c67c-5535-403a-ad79-c1d5f9df8fc7",
|
||||||
|
"Name": "demo"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "example"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Local": true,
|
||||||
|
"AuthMethod": "minikube",
|
||||||
|
"CreateTime": "2019-04-29T10:08:08.404370762-05:00",
|
||||||
|
"Hash": "nLimyD+7l6miiHEBmN/tvCelAmE/SbIXxcnTzG3pbGY=",
|
||||||
|
"CreateIndex": 36,
|
||||||
|
"ModifyIndex": 36
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Logout from Auth Method
|
||||||
|
|
||||||
|
This endpoint was added in Consul 1.5.0 and is used to destroy a token created
|
||||||
|
via the [login endpoint](#login-to-auth-method). The token deleted is specified
|
||||||
|
with the `X-Consul-Token` header or the `token` query parameter.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `POST` | `/acl/logout` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `none` |
|
||||||
|
|
||||||
|
-> **Note** - This endpoint requires no specific privileges as it is just
|
||||||
|
deleting a token for which you already must possess its secret.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl \
|
||||||
|
-H "X-Consul-Token: b78d37c7-0ca7-5f4d-99ee-6d9975ce4586" \
|
||||||
|
--request POST \
|
||||||
|
http://127.0.0.1:8500/v1/acl/logout
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,310 @@
|
||||||
|
---
|
||||||
|
layout: api
|
||||||
|
page_title: ACL Auth Methods - HTTP API
|
||||||
|
sidebar_current: api-acl-auth-methods
|
||||||
|
description: |-
|
||||||
|
The /acl/auth-method endpoints manage Consul's ACL Auth Methods.
|
||||||
|
---
|
||||||
|
|
||||||
|
-> **1.5.0+:** The auth method APIs are available in Consul versions 1.5.0 and newer.
|
||||||
|
|
||||||
|
# ACL Auth Method HTTP API
|
||||||
|
|
||||||
|
The `/acl/auth-method` endpoints [create](#create-an-auth-method),
|
||||||
|
[read](#read-an-auth-method), [update](#update-an-auth-method),
|
||||||
|
[list](#list-auth-methods) and [delete](#delete-an-auth-method)
|
||||||
|
ACL auth methods in Consul.
|
||||||
|
|
||||||
|
For more information on how to setup ACLs, please see
|
||||||
|
the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls).
|
||||||
|
|
||||||
|
## Create an Auth Method
|
||||||
|
|
||||||
|
This endpoint creates a new ACL auth method.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `PUT` | `/acl/auth-method` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `Name` `(string: <required>)` - Specifies a name for the ACL auth method. The
|
||||||
|
name can contain alphanumeric characters, dashes `-`, and underscores `_`.
|
||||||
|
This field is immutable and must be unique.
|
||||||
|
|
||||||
|
- `Type` `(string: <required>)` - The type of auth method being configured.
|
||||||
|
The only allowed value in Consul 1.5.0 is `"kubernetes"`. This field is
|
||||||
|
immutable.
|
||||||
|
|
||||||
|
- `Description` `(string: "")` - Free form human readable description of the
|
||||||
|
auth method.
|
||||||
|
|
||||||
|
- `Config` `(map[string]string: <required>)` - The raw configuration to use for
|
||||||
|
the chosen auth method. Contents will vary depending upon the type chosen.
|
||||||
|
For more information on configuring specific auth method types, see the [auth
|
||||||
|
method documentation](/docs/acl/acl-auth-methods.html).
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Name": "minikube",
|
||||||
|
"Type": "kubernetes",
|
||||||
|
"Description": "dev minikube cluster",
|
||||||
|
"Config": {
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X PUT \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/auth-method
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Name": "minikube",
|
||||||
|
"Type": "kubernetes",
|
||||||
|
"Description": "dev minikube cluster",
|
||||||
|
"Config": {
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
},
|
||||||
|
"CreateIndex": 15,
|
||||||
|
"ModifyIndex": 15
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Read an Auth Method
|
||||||
|
|
||||||
|
This endpoint reads an ACL auth method with the given name. If no
|
||||||
|
auth method exists with the given name, a 404 is returned instead of a
|
||||||
|
200 response.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/auth-method/:name` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `name` `(string: <required>)` - Specifies the name of the ACL auth method to
|
||||||
|
read. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/auth-method/minikube
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Name": "minikube",
|
||||||
|
"Type": "kubernetes",
|
||||||
|
"Description": "dev minikube cluster",
|
||||||
|
"Config": {
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
},
|
||||||
|
"CreateIndex": 15,
|
||||||
|
"ModifyIndex": 224
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Update an Auth Method
|
||||||
|
|
||||||
|
This endpoint updates an existing ACL auth method.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `PUT` | `/acl/auth-method/:name` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `Name` `(string: <required>)` - Specifies the name of the auth method to
|
||||||
|
update. This is required in the URL path but may also be specified in the
|
||||||
|
JSON body. If specified in both places then they must match exactly.
|
||||||
|
|
||||||
|
- `Type` `(string: <required>)` - Specifies the type of the auth method being
|
||||||
|
updated. This field is immutable so if present in the body then it must
|
||||||
|
match the existing value. If not present then the value will be filled in by
|
||||||
|
Consul.
|
||||||
|
|
||||||
|
- `Description` `(string: "")` - Free form human readable description of the
|
||||||
|
auth method.
|
||||||
|
|
||||||
|
- `Config` `(map[string]string: <required>)` - The raw configuration to use for
|
||||||
|
the chosen auth method. Contents will vary depending upon the type chosen.
|
||||||
|
For more information on configuring specific auth method types, see the [auth
|
||||||
|
method documentation](/docs/acl/acl-auth-methods.html).
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Name": "minikube",
|
||||||
|
"Description": "updated name",
|
||||||
|
"Config": {
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X PUT \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/auth-method/minikube
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Name": "minikube",
|
||||||
|
"Description": "updated name",
|
||||||
|
"Type": "kubernetes",
|
||||||
|
"Config": {
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
},
|
||||||
|
"CreateIndex": 15,
|
||||||
|
"ModifyIndex": 224
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Delete an Auth Method
|
||||||
|
|
||||||
|
This endpoint deletes an ACL auth method.
|
||||||
|
|
||||||
|
~> Deleting an auth method will also immediately delete all associated
|
||||||
|
[binding rules](/api/acl/binding-rules.html) as well as any
|
||||||
|
outstanding [tokens](/api/acl/tokens.html) created from this auth method.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| -------- | ------------------------- | -------------------------- |
|
||||||
|
| `DELETE` | `/acl/auth-method/:name` | `application/json` |
|
||||||
|
|
||||||
|
Even though the return type is application/json, the value is either true or
|
||||||
|
false indicating whether the delete succeeded.
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `name` `(string: <required>)` - Specifies the name of the ACL auth method to
|
||||||
|
delete. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X DELETE \
|
||||||
|
http://127.0.0.1:8500/v1/acl/auth-method/minikube
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
true
|
||||||
|
```
|
||||||
|
|
||||||
|
## List Auth Methods
|
||||||
|
|
||||||
|
This endpoint lists all the ACL auth methods.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/auth-methods` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
## Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/auth-methods
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
-> **Note** - The contents of the `Config` field are not included in the
|
||||||
|
listing and must be retrieved by the [auth method reading endpoint](#read-an-auth-method).
|
||||||
|
|
||||||
|
```json
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"Name": "minikube-1",
|
||||||
|
"Type": "kubernetes",
|
||||||
|
"Description": "",
|
||||||
|
"CreateIndex": 14,
|
||||||
|
"ModifyIndex": 14
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "minikube-2",
|
||||||
|
"Type": "kubernetes",
|
||||||
|
"Description": "",
|
||||||
|
"CreateIndex": 15,
|
||||||
|
"ModifyIndex": 15
|
||||||
|
}
|
||||||
|
]
|
||||||
|
```
|
|
@ -0,0 +1,372 @@
|
||||||
|
---
|
||||||
|
layout: api
|
||||||
|
page_title: ACL Binding Rules - HTTP API
|
||||||
|
sidebar_current: api-acl-binding-rules
|
||||||
|
description: |-
|
||||||
|
The /acl/binding-rule endpoints manage Consul's ACL Binding Rules.
|
||||||
|
---
|
||||||
|
|
||||||
|
-> **1.5.0+:** The binding rule APIs are available in Consul versions 1.5.0 and newer.
|
||||||
|
|
||||||
|
# ACL Binding Rule HTTP API
|
||||||
|
|
||||||
|
The `/acl/binding-rule` endpoints [create](#create-a-binding-rule),
|
||||||
|
[read](#read-a-binding-rule), [update](#update-a-binding-rule),
|
||||||
|
[list](#list-binding-rules) and [delete](#delete-a-binding-rule) ACL binding
|
||||||
|
rules in Consul.
|
||||||
|
|
||||||
|
For more information on how to setup ACLs, please see
|
||||||
|
the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls).
|
||||||
|
|
||||||
|
## Create a Binding Rule
|
||||||
|
|
||||||
|
This endpoint creates a new ACL binding rule.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `PUT` | `/acl/binding-rule` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `Description` `(string: "")` - Free form human readable description of the binding rule.
|
||||||
|
|
||||||
|
- `AuthMethod` `(string: <required>)` - The name of the auth method that this
|
||||||
|
rule applies to. This field is immutable.
|
||||||
|
|
||||||
|
- `Selector` `(string: "")` - Specifies the expression used to match this rule
|
||||||
|
against valid identities returned from an auth method validation. If empty
|
||||||
|
this binding rule matches all valid identities returned from the auth method. For example:
|
||||||
|
|
||||||
|
```text
|
||||||
|
serviceaccount.namespace==default and serviceaccount.name!=vault
|
||||||
|
```
|
||||||
|
|
||||||
|
- `BindType` `(string: <required>)` - Specifies the way the binding rule
|
||||||
|
affects a token created at login.
|
||||||
|
|
||||||
|
- `BindType=service` - The computed bind name value is used as an
|
||||||
|
`ACLServiceIdentity.ServiceName` field in the token that is created.
|
||||||
|
|
||||||
|
```json
|
||||||
|
{ ...other fields...
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{ "ServiceName": "<computed BindName>" }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
- `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
|
||||||
|
field in the token that is created. This binding rule will only apply if a
|
||||||
|
role with the given name exists at login-time. If it does not then this
|
||||||
|
rule is ignored.
|
||||||
|
|
||||||
|
```json
|
||||||
|
{ ...other fields...
|
||||||
|
"Roles": [
|
||||||
|
{ "Name": "<computed BindName>" }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
- `BindName` `(string: <required>)` - The name to bind to a token at
|
||||||
|
login-time. What it binds to can be adjusted with different values of the
|
||||||
|
`BindType` field. This can either be a plain string or lightly templated
|
||||||
|
using [HIL syntax](https://github.com/hashicorp/hil) to interpolate the same
|
||||||
|
values that are usable by the `Selector` syntax. For example:
|
||||||
|
|
||||||
|
```text
|
||||||
|
prefixed-${serviceaccount.name}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Description": "example rule",
|
||||||
|
"AuthMethod": "minikube",
|
||||||
|
"Selector": "serviceaccount.namespace==default",
|
||||||
|
"BindType": "service",
|
||||||
|
"BindName": "{{ serviceaccount.name }}"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X PUT \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/binding-rule
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "000ed53c-e2d3-e7e6-31a5-c19bc3518a3d",
|
||||||
|
"Description": "example rule",
|
||||||
|
"AuthMethod": "minikube",
|
||||||
|
"Selector": "serviceaccount.namespace==default",
|
||||||
|
"BindType": "service",
|
||||||
|
"BindName": "{{ serviceaccount.name }}",
|
||||||
|
"CreateIndex": 17,
|
||||||
|
"ModifyIndex": 17
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Read a Binding Rule
|
||||||
|
|
||||||
|
This endpoint reads an ACL binding rule with the given ID. If no
|
||||||
|
binding rule exists with the given ID, a 404 is returned instead of a 200
|
||||||
|
response.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/binding-rule/:id` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `id` `(string: <required>)` - Specifies the UUID of the ACL binding rule
|
||||||
|
to read. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/binding-rule/000ed53c-e2d3-e7e6-31a5-c19bc3518a3d
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "000ed53c-e2d3-e7e6-31a5-c19bc3518a3d",
|
||||||
|
"Description": "example rule",
|
||||||
|
"AuthMethod": "minikube",
|
||||||
|
"Selector": "serviceaccount.namespace==default",
|
||||||
|
"BindType": "service",
|
||||||
|
"BindName": "{{ serviceaccount.name }}",
|
||||||
|
"CreateIndex": 17,
|
||||||
|
"ModifyIndex": 17
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Update a Binding Rule
|
||||||
|
|
||||||
|
This endpoint updates an existing ACL binding rule.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `PUT` | `/acl/binding-rule/:id` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `ID` `(string: <required>)` - Specifies the ID of the binding rule to update.
|
||||||
|
This is required in the URL path but may also be specified in the JSON body.
|
||||||
|
If specified in both places then they must match exactly.
|
||||||
|
|
||||||
|
- `Description` `(string: "")` - Free form human readable description of the binding rule.
|
||||||
|
|
||||||
|
- `AuthMethod` `(string: <required>)` - Specifies the name of the auth
|
||||||
|
method that this rule applies to. This field is immutable so if present in
|
||||||
|
the body then it must match the existing value. If not present then the value
|
||||||
|
will be filled in by Consul.
|
||||||
|
|
||||||
|
- `Selector` `(string: "")` - Specifies the expression used to match this rule
|
||||||
|
against valid identities returned from an auth method validation. If empty
|
||||||
|
this binding rule matches all valid identities returned from the auth method. For example:
|
||||||
|
|
||||||
|
```text
|
||||||
|
serviceaccount.namespace==default and serviceaccount.name!=vault
|
||||||
|
```
|
||||||
|
|
||||||
|
- `BindType` `(string: <required>)` - Specifies the way the binding rule
|
||||||
|
affects a token created at login.
|
||||||
|
|
||||||
|
- `BindType=service` - The computed bind name value is used as an
|
||||||
|
`ACLServiceIdentity.ServiceName` field in the token that is created.
|
||||||
|
|
||||||
|
```json
|
||||||
|
{ ...other fields...
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{ "ServiceName": "<computed BindName>" }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
- `BindType=role` - The computed bind name value is used as a `RoleLink.Name`
|
||||||
|
field in the token that is created. This binding rule will only apply if a
|
||||||
|
role with the given name exists at login-time. If it does not then this
|
||||||
|
rule is ignored.
|
||||||
|
|
||||||
|
```json
|
||||||
|
{ ...other fields...
|
||||||
|
"Roles": [
|
||||||
|
{ "Name": "<computed BindName>" }
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
- `BindName` `(string: <required>)` - The name to bind to a token at
|
||||||
|
login-time. What it binds to can be adjusted with different values of the
|
||||||
|
`BindType` field. This can either be a plain string or lightly templated
|
||||||
|
using [HIL syntax](https://github.com/hashicorp/hil) to interpolate the same
|
||||||
|
values that are usable by the `Selector` syntax. For example:
|
||||||
|
|
||||||
|
```text
|
||||||
|
prefixed-${serviceaccount.name}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Description": "updated rule",
|
||||||
|
"Selector": "serviceaccount.namespace=dev",
|
||||||
|
"BindType": "role",
|
||||||
|
"BindName": "{{ serviceaccount.name }}"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X PUT \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/binding-rule/000ed53c-e2d3-e7e6-31a5-c19bc3518a3d
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "000ed53c-e2d3-e7e6-31a5-c19bc3518a3d",
|
||||||
|
"Description": "updated rule",
|
||||||
|
"AuthMethod": "minikube",
|
||||||
|
"Selector": "serviceaccount.namespace=dev",
|
||||||
|
"BindType": "role",
|
||||||
|
"BindName": "{{ serviceaccount.name }}",
|
||||||
|
"CreateIndex": 17,
|
||||||
|
"ModifyIndex": 18
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Delete a Binding Rule
|
||||||
|
|
||||||
|
This endpoint deletes an ACL binding rule.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| -------- | ------------------------- | -------------------------- |
|
||||||
|
| `DELETE` | `/acl/binding-rule/:id` | `application/json` |
|
||||||
|
|
||||||
|
Even though the return type is application/json, the value is either true or
|
||||||
|
false indicating whether the delete succeeded.
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `id` `(string: <required>)` - Specifies the UUID of the ACL binding rule to
|
||||||
|
delete. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X DELETE \
|
||||||
|
http://127.0.0.1:8500/v1/acl/binding-rule/000ed53c-e2d3-e7e6-31a5-c19bc3518a3d
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
```json
|
||||||
|
true
|
||||||
|
```
|
||||||
|
|
||||||
|
## List Binding Rules
|
||||||
|
|
||||||
|
This endpoint lists all the ACL binding rules.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/binding-rules` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
## Parameters
|
||||||
|
|
||||||
|
- `authmethod` `(string: "")` - Filters the binding rule list to those binding
|
||||||
|
rules that are linked with the specific named auth method.
|
||||||
|
|
||||||
|
## Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/binding-rules
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"ID": "000ed53c-e2d3-e7e6-31a5-c19bc3518a3d",
|
||||||
|
"Description": "example 1",
|
||||||
|
"AuthMethod": "minikube-1",
|
||||||
|
"BindType": "service",
|
||||||
|
"BindName": "k8s-{{ serviceaccount.name }}",
|
||||||
|
"CreateIndex": 17,
|
||||||
|
"ModifyIndex": 17
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ID": "b4f0a0a3-69f2-7a4f-6bef-326034ace9fa",
|
||||||
|
"Description": "example 2",
|
||||||
|
"AuthMethod": "minikube-2",
|
||||||
|
"Selector": "serviceaccount.namespace==default",
|
||||||
|
"BindName": "k8s-{{ serviceaccount.name }}",
|
||||||
|
"CreateIndex": 18,
|
||||||
|
"ModifyIndex": 18
|
||||||
|
}
|
||||||
|
]
|
||||||
|
```
|
|
@ -12,7 +12,9 @@ the new ACL [Token](/api/acl/tokens.html) and [Policy](/api/acl/policies.html) A
|
||||||
|
|
||||||
# ACL HTTP API
|
# ACL HTTP API
|
||||||
|
|
||||||
The `/acl` endpoints create, update, destroy, and query ACL tokens in Consul. For more information about ACLs, please see the [ACL Guide](/docs/guides/acl-legacy.html).
|
The `/acl` endpoints create, update, destroy, and query ACL tokens in Consul.
|
||||||
|
|
||||||
|
For more information about ACLs, please see the [ACL Guide](/docs/guides/acl-legacy.html).
|
||||||
|
|
||||||
## Create ACL Token
|
## Create ACL Token
|
||||||
|
|
||||||
|
|
|
@ -11,8 +11,11 @@ description: |-
|
||||||
# ACL Policy HTTP API
|
# ACL Policy HTTP API
|
||||||
|
|
||||||
The `/acl/policy` endpoints [create](#create-a-policy), [read](#read-a-policy),
|
The `/acl/policy` endpoints [create](#create-a-policy), [read](#read-a-policy),
|
||||||
[update](#update-a-policy), [list](#list-policies) and [delete](#delete-a-policy) ACL policies in Consul.
|
[update](#update-a-policy), [list](#list-policies) and
|
||||||
For more information about ACLs, please see the [ACL Guide](/docs/guides/acl.html).
|
[delete](#delete-a-policy) ACL policies in Consul.
|
||||||
|
|
||||||
|
For more information on how to setup ACLs, please see
|
||||||
|
the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls).
|
||||||
|
|
||||||
## Create a Policy
|
## Create a Policy
|
||||||
|
|
||||||
|
@ -35,8 +38,8 @@ The table below shows this endpoint's support for
|
||||||
### Parameters
|
### Parameters
|
||||||
|
|
||||||
- `Name` `(string: <required>)` - Specifies a name for the ACL policy. The name
|
- `Name` `(string: <required>)` - Specifies a name for the ACL policy. The name
|
||||||
can only contain alphanumeric characters as well as `-` and `_` and must be
|
can contain alphanumeric characters, dashes `-`, and underscores `_`.
|
||||||
unique.
|
This name must be unique.
|
||||||
|
|
||||||
- `Description` `(string: "")` - Free form human readable description of the policy.
|
- `Description` `(string: "")` - Free form human readable description of the policy.
|
||||||
|
|
||||||
|
@ -60,9 +63,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl -X PUT \
|
||||||
--request PUT \
|
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
http://127.0.0.1:8500/v1/acl/policy
|
http://127.0.0.1:8500/v1/acl/policy
|
||||||
```
|
```
|
||||||
|
@ -110,7 +112,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -X GET http://127.0.0.1:8500/v1/acl/policy/e359bd81-baca-903e-7e64-1ccd9fdc78f5
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/policy/e359bd81-baca-903e-7e64-1ccd9fdc78f5
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -181,9 +183,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl -X PUT \
|
||||||
--request PUT \
|
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
http://127.0.0.1:8500/v1/acl/policy/c01a1f82-44be-41b0-a686-685fb6e0f485
|
http://127.0.0.1:8500/v1/acl/policy/c01a1f82-44be-41b0-a686-685fb6e0f485
|
||||||
```
|
```
|
||||||
|
@ -230,8 +231,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -X DELETE
|
$ curl -X DELETE \
|
||||||
http://127.0.0.1:8500/v1/acl/policy/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
http://127.0.0.1:8500/v1/acl/policy/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -260,7 +261,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
## Sample Request
|
## Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -X GET http://127.0.0.1:8500/v1/acl/policies
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/policies
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,456 @@
|
||||||
|
---
|
||||||
|
layout: api
|
||||||
|
page_title: ACL Roles - HTTP API
|
||||||
|
sidebar_current: api-acl-roles
|
||||||
|
description: |-
|
||||||
|
The /acl/role endpoints manage Consul's ACL Roles.
|
||||||
|
---
|
||||||
|
|
||||||
|
-> **1.5.0+:** The role APIs are available in Consul versions 1.5.0 and newer.
|
||||||
|
|
||||||
|
# ACL Role HTTP API
|
||||||
|
|
||||||
|
The `/acl/role` endpoints [create](#create-a-role), [read](#read-a-role),
|
||||||
|
[update](#update-a-role), [list](#list-roles) and [delete](#delete-a-role) ACL roles in Consul.
|
||||||
|
|
||||||
|
For more information on how to setup ACLs, please see
|
||||||
|
the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls).
|
||||||
|
|
||||||
|
## Create a Role
|
||||||
|
|
||||||
|
This endpoint creates a new ACL role.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `PUT` | `/acl/role` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `Name` `(string: <required>)` - Specifies a name for the ACL role. The name
|
||||||
|
can contain alphanumeric characters, dashes `-`, and underscores `_`.
|
||||||
|
This name must be unique.
|
||||||
|
|
||||||
|
- `Description` `(string: "")` - Free form human readable description of the role.
|
||||||
|
|
||||||
|
- `Policies` `(array<PolicyLink>)` - The list of policies that should be
|
||||||
|
applied to the role. A PolicyLink is an object with an "ID" and/or "Name"
|
||||||
|
field to specify a policy. With the PolicyLink, roles can be linked to
|
||||||
|
policies either by the policy name or by the policy ID. When policies are
|
||||||
|
linked by name they will be internally resolved to the policy ID. With
|
||||||
|
linking roles internally by IDs, Consul enables policy renaming without
|
||||||
|
breaking tokens.
|
||||||
|
|
||||||
|
- `ServiceIdentities` `(array<ServiceIdentity>)` - The list of [service
|
||||||
|
identities](/docs/acl/acl-system.html#acl-service-identities) that should be
|
||||||
|
applied to the role. Added in Consul 1.5.0.
|
||||||
|
|
||||||
|
- `ServiceName` `(string: <required>)` - The name of the service. The name
|
||||||
|
must be no longer than 256 characters, must start and end with a lowercase
|
||||||
|
alphanumeric character, and can only contain lowercase alphanumeric
|
||||||
|
characters as well as `-` and `_`.
|
||||||
|
|
||||||
|
- `Datacenters` `(array<string>)` - Specifies the datacenters the effective
|
||||||
|
policy is valid within. When no datacenters are provided the effective
|
||||||
|
policy is valid in all datacenters including those which do not yet exist
|
||||||
|
but may in the future.
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"Name": "example-role",
|
||||||
|
"Description": "Showcases all input parameters",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "web"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ServiceName": "db",
|
||||||
|
"Datacenters": [
|
||||||
|
"dc1"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X PUT \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/role
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "aa770e5b-8b0b-7fcf-e5a1-8535fcc388b4",
|
||||||
|
"Name": "example-role",
|
||||||
|
"Description": "Showcases all input parameters",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765",
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "web"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ServiceName": "db",
|
||||||
|
"Datacenters": [
|
||||||
|
"dc1"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": "mBWMIeX9zyUTdDMq8vWB0iYod+mKBArJoAhj6oPz3BI=",
|
||||||
|
"CreateIndex": 57,
|
||||||
|
"ModifyIndex": 57
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Read a Role
|
||||||
|
|
||||||
|
This endpoint reads an ACL role with the given ID. If no role exists with the
|
||||||
|
given ID, a 404 is returned instead of a 200 response.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/role/:id` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `id` `(string: <required>)` - Specifies the UUID of the ACL role to
|
||||||
|
read. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/role/aa770e5b-8b0b-7fcf-e5a1-8535fcc388b4
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "aa770e5b-8b0b-7fcf-e5a1-8535fcc388b4",
|
||||||
|
"Name": "example-role",
|
||||||
|
"Description": "Showcases all input parameters",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765",
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "web"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ServiceName": "db",
|
||||||
|
"Datacenters": [
|
||||||
|
"dc1"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": "mBWMIeX9zyUTdDMq8vWB0iYod+mKBArJoAhj6oPz3BI=",
|
||||||
|
"CreateIndex": 57,
|
||||||
|
"ModifyIndex": 57
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Read a Role by Name
|
||||||
|
|
||||||
|
This endpoint reads an ACL role with the given name. If no role exists with the
|
||||||
|
given name, a 404 is returned instead of a 200 response.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/role/name/:name` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `name` `(string: <required>)` - Specifies the Name of the ACL role to
|
||||||
|
read. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/role/name/example-role
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "aa770e5b-8b0b-7fcf-e5a1-8535fcc388b4",
|
||||||
|
"Name": "example-role",
|
||||||
|
"Description": "Showcases all input parameters",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765",
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "web"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ServiceName": "db",
|
||||||
|
"Datacenters": [
|
||||||
|
"dc1"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": "mBWMIeX9zyUTdDMq8vWB0iYod+mKBArJoAhj6oPz3BI=",
|
||||||
|
"CreateIndex": 57,
|
||||||
|
"ModifyIndex": 57
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Update a Role
|
||||||
|
|
||||||
|
This endpoint updates an existing ACL role.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `PUT` | `/acl/role/:id` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `ID` `(string: <required>)` - Specifies the ID of the role to update. This is
|
||||||
|
required in the URL path but may also be specified in the JSON body. If specified
|
||||||
|
in both places then they must match exactly.
|
||||||
|
|
||||||
|
- `Name` `(string: <required>)` - Specifies a name for the ACL role. The name
|
||||||
|
can only contain alphanumeric characters as well as `-` and `_` and must be
|
||||||
|
unique.
|
||||||
|
|
||||||
|
- `Description` `(string: "")` - Free form human readable description of the role.
|
||||||
|
|
||||||
|
- `Policies` `(array<PolicyLink>)` - The list of policies that should be
|
||||||
|
applied to the role. A PolicyLink is an object with an "ID" and/or "Name"
|
||||||
|
field to specify a policy. With the PolicyLink, roles can be linked to
|
||||||
|
policies either by the policy name or by the policy ID. When policies are
|
||||||
|
linked by name they will be internally resolved to the policy ID. With
|
||||||
|
linking roles internally by IDs, Consul enables policy renaming without
|
||||||
|
breaking tokens.
|
||||||
|
|
||||||
|
- `ServiceIdentities` `(array<ServiceIdentity>)` - The list of [service
|
||||||
|
identities](/docs/acl/acl-system.html#acl-service-identities) that should be
|
||||||
|
applied to the role. Added in Consul 1.5.0.
|
||||||
|
|
||||||
|
### Sample Payload
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "8bec74a4-5ced-45ed-9c9d-bca6153490bb",
|
||||||
|
"Name": "example-two",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "db"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X PUT \
|
||||||
|
--data @payload.json \
|
||||||
|
http://127.0.0.1:8500/v1/acl/role/8bec74a4-5ced-45ed-9c9d-bca6153490bb
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
"ID": "8bec74a4-5ced-45ed-9c9d-bca6153490bb",
|
||||||
|
"Name": "example-two",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765",
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "db"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": "OtZUUKhInTLEqTPfNSSOYbRiSBKm3c4vI2p6MxZnGWc=",
|
||||||
|
"CreateIndex": 14,
|
||||||
|
"ModifyIndex": 28
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## Delete a Role
|
||||||
|
|
||||||
|
This endpoint deletes an ACL role.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| -------- | ------------------------- | -------------------------- |
|
||||||
|
| `DELETE` | `/acl/role/:id` | `application/json` |
|
||||||
|
|
||||||
|
Even though the return type is application/json, the value is either true or
|
||||||
|
false indicating whether the delete succeeded.
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `NO` | `none` | `none` | `acl:write` |
|
||||||
|
|
||||||
|
### Parameters
|
||||||
|
|
||||||
|
- `id` `(string: <required>)` - Specifies the UUID of the ACL role to
|
||||||
|
delete. This is required and is specified as part of the URL path.
|
||||||
|
|
||||||
|
### Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X DELETE \
|
||||||
|
http://127.0.0.1:8500/v1/acl/role/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
```json
|
||||||
|
true
|
||||||
|
```
|
||||||
|
|
||||||
|
## List Roles
|
||||||
|
|
||||||
|
This endpoint lists all the ACL roles.
|
||||||
|
|
||||||
|
| Method | Path | Produces |
|
||||||
|
| ------ | ---------------------------- | -------------------------- |
|
||||||
|
| `GET` | `/acl/roles` | `application/json` |
|
||||||
|
|
||||||
|
The table below shows this endpoint's support for
|
||||||
|
[blocking queries](/api/features/blocking.html),
|
||||||
|
[consistency modes](/api/features/consistency.html),
|
||||||
|
[agent caching](/api/features/caching.html), and
|
||||||
|
[required ACLs](/api/index.html#authentication).
|
||||||
|
|
||||||
|
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|
||||||
|
| ---------------- | ----------------- | ------------- | ------------ |
|
||||||
|
| `YES` | `all` | `none` | `acl:read` |
|
||||||
|
|
||||||
|
## Parameters
|
||||||
|
|
||||||
|
- `policy` `(string: "")` - Filters the role list to those roles that are
|
||||||
|
linked with the specific policy ID.
|
||||||
|
|
||||||
|
## Sample Request
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/roles
|
||||||
|
```
|
||||||
|
|
||||||
|
### Sample Response
|
||||||
|
|
||||||
|
```json
|
||||||
|
[
|
||||||
|
{
|
||||||
|
"ID": "5e52a099-4c90-c067-5478-980f06be9af5",
|
||||||
|
"Name": "node-read",
|
||||||
|
"Description": "",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765",
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": "K6AbfofgiZ1BEaKORBloZf7WPdg45J/PipHxQiBlK1U=",
|
||||||
|
"CreateIndex": 50,
|
||||||
|
"ModifyIndex": 50
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ID": "aa770e5b-8b0b-7fcf-e5a1-8535fcc388b4",
|
||||||
|
"Name": "example-role",
|
||||||
|
"Description": "Showcases all input parameters",
|
||||||
|
"Policies": [
|
||||||
|
{
|
||||||
|
"ID": "783beef3-783f-f41f-7422-7087dc272765",
|
||||||
|
"Name": "node-read"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"ServiceIdentities": [
|
||||||
|
{
|
||||||
|
"ServiceName": "web"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ServiceName": "db",
|
||||||
|
"Datacenters": [
|
||||||
|
"dc1"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"Hash": "mBWMIeX9zyUTdDMq8vWB0iYod+mKBArJoAhj6oPz3BI=",
|
||||||
|
"CreateIndex": 57,
|
||||||
|
"ModifyIndex": 57
|
||||||
|
}
|
||||||
|
]
|
||||||
|
```
|
|
@ -1,9 +1,9 @@
|
||||||
---
|
---
|
||||||
layout: api
|
layout: api
|
||||||
page_title: ACL Policies - HTTP API
|
page_title: ACL Tokens - HTTP API
|
||||||
sidebar_current: api-acl-tokens
|
sidebar_current: api-acl-tokens
|
||||||
description: |-
|
description: |-
|
||||||
The /acl/token endpoints manage Consul's ACL Policies.
|
The /acl/token endpoints manage Consul's ACL Tokens.
|
||||||
---
|
---
|
||||||
|
|
||||||
-> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html)
|
-> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html)
|
||||||
|
@ -13,7 +13,8 @@ description: |-
|
||||||
The `/acl/token` endpoints [create](#create-a-token), [read](#read-a-token),
|
The `/acl/token` endpoints [create](#create-a-token), [read](#read-a-token),
|
||||||
[update](#update-a-token), [list](#list-tokens), [clone](#clone-a-token) and [delete](#delete-a-token) ACL policies in Consul.
|
[update](#update-a-token), [list](#list-tokens), [clone](#clone-a-token) and [delete](#delete-a-token) ACL policies in Consul.
|
||||||
|
|
||||||
For more information about ACLs, please see the [ACL Guide](/docs/guides/acl.html).
|
For more information on how to setup ACLs, please see
|
||||||
|
the [ACL Guide](https://learn.hashicorp.com/consul/advanced/day-1-operations/production-acls).
|
||||||
|
|
||||||
## Create a Token
|
## Create a Token
|
||||||
|
|
||||||
|
@ -45,15 +46,49 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
- `Description` `(string: "")` - Free form human readable description of the token.
|
- `Description` `(string: "")` - Free form human readable description of the token.
|
||||||
|
|
||||||
- `Policies` `(array<PolicyLink>)` - The list of policies that should
|
- `Policies` `(array<PolicyLink>)` - The list of policies that should be
|
||||||
be applied to the token. A PolicyLink is an object with an "ID" and/or "Name" field
|
applied to the token. A PolicyLink is an object with an "ID" and/or "Name"
|
||||||
to specify a policy. With the PolicyLink, tokens can be linked to policies either by the
|
field to specify a policy. With the PolicyLink, tokens can be linked to
|
||||||
policy name or by the policy ID. When policies are linked by name they will be
|
policies either by the policy name or by the policy ID. When policies are
|
||||||
internally resolved to the policy ID. With linking tokens internally by IDs,
|
linked by name they will be internally resolved to the policy ID. With
|
||||||
Consul enables policy renaming without breaking tokens.
|
linking tokens internally by IDs, Consul enables policy renaming without
|
||||||
|
breaking tokens.
|
||||||
|
|
||||||
- `Local` `(bool: false)` - If true, indicates that the token should not be replicated
|
- `Roles` `(array<RoleLink>)` - The list of roles that should be applied to the
|
||||||
globally and instead be local to the current datacenter.
|
token. A RoleLink is an object with an "ID" and/or "Name" field to specify a
|
||||||
|
role. With the RoleLink, tokens can be linked to roles either by the role
|
||||||
|
name or by the role ID. When roles are linked by name they will be internally
|
||||||
|
resolved to the role ID. With linking tokens internally by IDs, Consul
|
||||||
|
enables role renaming without breaking tokens. Added in Consul 1.5.0.
|
||||||
|
|
||||||
|
- `ServiceIdentities` `(array<ServiceIdentity>)` - The list of [service
|
||||||
|
identities](/docs/acl/acl-system.html#acl-service-identities) that should be
|
||||||
|
applied to the token. Added in Consul 1.5.0.
|
||||||
|
|
||||||
|
- `ServiceName` `(string: <required>)` - The name of the service. The name
|
||||||
|
must be no longer than 256 characters, must start and end with a lowercase
|
||||||
|
alphanumeric character, and can only contain lowercase alphanumeric
|
||||||
|
characters as well as `-` and `_`.
|
||||||
|
|
||||||
|
- `Datacenters` `(array<string>)` - Specifies the datacenters the effective
|
||||||
|
policy is valid within. When no datacenters are provided the effective
|
||||||
|
policy is valid in all datacenters including those which do not yet exist
|
||||||
|
but may in the future.
|
||||||
|
|
||||||
|
- `Local` `(bool: false)` - If true, indicates that the token should not be
|
||||||
|
replicated globally and instead be local to the current datacenter.
|
||||||
|
|
||||||
|
- `ExpirationTime` `(time: "")`- If set this represents the point after which a
|
||||||
|
token should be considered revoked and is eligible for destruction. The
|
||||||
|
default unset value represents NO expiration. This value must be between 1
|
||||||
|
minute and 24 hours in the future. Added in Consul 1.5.0.
|
||||||
|
|
||||||
|
- `ExpirationTTL` `(duration: 0s)` - This is a convenience field and if set
|
||||||
|
will initialize the `ExpirationTime` field to a value of `CreateTime +
|
||||||
|
ExpirationTTL`. This field is not persisted beyond its initial use. Can be
|
||||||
|
specified in the form of `"60s"` or `"5m"` (i.e., 60 seconds or 5 minutes,
|
||||||
|
respectively). This value must be no smaller than 1 minute and no longer than
|
||||||
|
24 hours. Added in Consul 1.5.0.
|
||||||
|
|
||||||
### Sample Payload
|
### Sample Payload
|
||||||
|
|
||||||
|
@ -74,9 +109,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl -X PUT \
|
||||||
--request PUT \
|
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
http://127.0.0.1:8500/v1/acl/token
|
http://127.0.0.1:8500/v1/acl/token
|
||||||
```
|
```
|
||||||
|
@ -132,7 +166,7 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -X GET http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -191,7 +225,7 @@ retrieving the data for a token that you must already possess its secret.
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -H "X-Consul-Token: 6a1253d2-1785-24fd-91c2-f8e78c745511" \
|
$ curl -H "X-Consul-Token: 6a1253d2-1785-24fd-91c2-f8e78c745511" \
|
||||||
http://127.0.0.1:8500/v1/acl/token/self
|
http://127.0.0.1:8500/v1/acl/token/self
|
||||||
```
|
```
|
||||||
|
@ -254,15 +288,47 @@ The table below shows this endpoint's support for
|
||||||
- `Description` `(string: "")` - Free form human readable description of this token.
|
- `Description` `(string: "")` - Free form human readable description of this token.
|
||||||
|
|
||||||
- `Policies` `(array<PolicyLink>)` - This is the list of policies that should
|
- `Policies` `(array<PolicyLink>)` - This is the list of policies that should
|
||||||
be applied to this token. A PolicyLink is an object with an "ID" and/or "Name" field
|
be applied to this token. A PolicyLink is an object with an "ID" and/or
|
||||||
to specify a policy. With this tokens can be linked to policies either by the
|
"Name" field to specify a policy. With the PolicyLink tokens can be linked to policies
|
||||||
policy name or by the policy ID. When policies are linked by name they will
|
either by the policy name or by the policy ID. When policies are linked by
|
||||||
internally be resolved to the policy ID. With linking tokens internally by IDs,
|
name they will internally be resolved to the policy ID. With linking tokens
|
||||||
Consul enables policy renaming without breaking tokens.
|
internally by IDs, Consul enables policy renaming without breaking tokens.
|
||||||
|
|
||||||
|
- `Roles` `(array<RoleLink>)` - The list of roles that should be applied to the
|
||||||
|
token. A RoleLink is an object with an "ID" and/or "Name" field to specify a
|
||||||
|
role. With the RoleLink, tokens can be linked to roles either by the role
|
||||||
|
name or by the role ID. When roles are linked by name they will be internally
|
||||||
|
resolved to the role ID. With linking tokens internally by IDs, Consul
|
||||||
|
enables role renaming without breaking tokens.
|
||||||
|
|
||||||
|
- `ServiceIdentities` `(array<ServiceIdentity>)` - The list of [service
|
||||||
|
identities](/docs/acl/acl-system.html#acl-service-identities) that should be
|
||||||
|
applied to the token. Added in Consul 1.5.0.
|
||||||
|
|
||||||
|
- `ServiceName` `(string: <required>)` - The name of the service. The name
|
||||||
|
must be no longer than 256 characters, must start and end with a lowercase
|
||||||
|
alphanumeric character, and can only contain lowercase alphanumeric
|
||||||
|
characters as well as `-` and `_`.
|
||||||
|
|
||||||
|
- `Datacenters` `(array<string>)` - Specifies the datacenters the effective
|
||||||
|
policy is valid within. When no datacenters are provided the effective
|
||||||
|
policy is valid in all datacenters including those which do not yet exist
|
||||||
|
but may in the future.
|
||||||
|
|
||||||
|
- `Local` `(bool: false)` - If true, indicates that this token should not be
|
||||||
|
replicated globally and instead be local to the current datacenter. This
|
||||||
|
value must match the existing value or the request will return an error.
|
||||||
|
|
||||||
|
- `AuthMethod` `(string: "")` - Specifies the name of the auth method that
|
||||||
|
created this token. This field is immutable so if present in the body then it
|
||||||
|
must match the existing value. If not present then the value will be filled
|
||||||
|
in by Consul.
|
||||||
|
|
||||||
|
- `ExpirationTime` `(time: "")` - Specifies the expiration time for the token
|
||||||
|
being updated. This field is immutable so if present in the body then it must
|
||||||
|
match the existing value. If not present then the value will be filled in by
|
||||||
|
Consul.
|
||||||
|
|
||||||
- `Local` `(bool: false)` - If true, indicates that this token should not be replicated
|
|
||||||
globally and instead be local to the current datacenter. This value must match the
|
|
||||||
existing value or the request will return an error.
|
|
||||||
|
|
||||||
### Sample Payload
|
### Sample Payload
|
||||||
|
|
||||||
|
@ -286,9 +352,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl -X PUT \
|
||||||
--request PUT \
|
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511
|
http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511
|
||||||
```
|
```
|
||||||
|
@ -357,9 +422,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl \
|
$ curl -X PUT \
|
||||||
--request PUT \
|
|
||||||
--data @payload.json \
|
--data @payload.json \
|
||||||
http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511/clone
|
http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511/clone
|
||||||
```
|
```
|
||||||
|
@ -421,8 +485,8 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
### Sample Request
|
### Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -XDELETE
|
$ curl -X DELETE \
|
||||||
http://127.0.0.1:8500/v1/acl/token/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
http://127.0.0.1:8500/v1/acl/token/8f246b77-f3e1-ff88-5b48-8ec93abf3e05
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -451,12 +515,18 @@ The table below shows this endpoint's support for
|
||||||
|
|
||||||
## Parameters
|
## Parameters
|
||||||
|
|
||||||
- `policy` `(string: "")` - Filters the token list to those tokens that
|
- `policy` `(string: "")` - Filters the token list to those tokens that are
|
||||||
are linked with the specific policy ID.
|
linked with the specific policy ID.
|
||||||
|
|
||||||
|
- `role` `(string: "")` - Filters the token list to those tokens that are
|
||||||
|
linked with the specific role ID.
|
||||||
|
|
||||||
|
- `authmethod` `(string: "")` - Filters the token list to those tokens that are
|
||||||
|
linked with the specific named auth method.
|
||||||
|
|
||||||
## Sample Request
|
## Sample Request
|
||||||
|
|
||||||
```text
|
```sh
|
||||||
$ curl -X GET http://127.0.0.1:8500/v1/acl/tokens
|
$ curl -X GET http://127.0.0.1:8500/v1/acl/tokens
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 73 KiB |
|
@ -0,0 +1,127 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "ACL Auth Methods"
|
||||||
|
sidebar_current: "docs-acl-auth-methods"
|
||||||
|
description: |-
|
||||||
|
An auth method is a component in Consul that performs authentication against a trusted external party to authorize the creation of an ACL tokens usable within the local datacenter.
|
||||||
|
---
|
||||||
|
|
||||||
|
-> **1.5.0+:** This guide only applies in Consul versions 1.5.0 and newer.
|
||||||
|
|
||||||
|
# ACL Auth Methods
|
||||||
|
|
||||||
|
An auth method is a component in Consul that performs authentication against a
|
||||||
|
trusted external party to authorize the creation of an ACL tokens usable within
|
||||||
|
the local datacenter.
|
||||||
|
|
||||||
|
The only supported type of auth method in Consul 1.5.0 is
|
||||||
|
[`kubernetes`](/docs/acl/auth-methods/kubernetes.html).
|
||||||
|
|
||||||
|
## Overview
|
||||||
|
|
||||||
|
Without an auth method a trusted operator is critically involved in the
|
||||||
|
creation and secure introduction of each ACL token to every application that
|
||||||
|
needs one, while ensuring that the policies assigned to these tokens follow the
|
||||||
|
principle of least-privilege.
|
||||||
|
|
||||||
|
When running in environments such as a public cloud or when supervised by a
|
||||||
|
cluster scheduler, applications may already have access to uniquely identifying
|
||||||
|
credentials that were delivered securely by the platform. Consul auth method
|
||||||
|
integrations allow for these credentials to be used to create ACL tokens with
|
||||||
|
properly-scoped policies without additional operator intervention.
|
||||||
|
|
||||||
|
In Consul 1.5.0 the focus is around simplifying the creation of tokens with the
|
||||||
|
privileges necessary to participate in a [Connect](/docs/connect/index.html)
|
||||||
|
service mesh with minimal operator intervention.
|
||||||
|
|
||||||
|
## Operator Configuration
|
||||||
|
|
||||||
|
An operator needs to configure each auth method that is to be trusted by
|
||||||
|
using the API or command line before they can be used by applications.
|
||||||
|
|
||||||
|
* **Authentication** - One or more **auth methods** should be configured with
|
||||||
|
details about how to authenticate application credentials. Successful
|
||||||
|
validation of application credentials will return a set of trusted identity
|
||||||
|
attributes (such as a username). These can be managed with the `consul acl
|
||||||
|
auth-method` subcommands or the corresponding [API
|
||||||
|
endpoints](/api/acl/auth-methods.html). The specific details of
|
||||||
|
configuration are type dependent and described in their own documentation
|
||||||
|
pages.
|
||||||
|
|
||||||
|
* **Authorization** - One or more **binding rules** must be configured to define
|
||||||
|
how to translate trusted identity attributes from each auth method into
|
||||||
|
privileges assigned to the ACL token that is created. These can be managed
|
||||||
|
with the `consul acl binding-rule` subcommands or the corresponding [API
|
||||||
|
endpoints](/api/acl/binding-rules.html).
|
||||||
|
|
||||||
|
## Binding Rules
|
||||||
|
|
||||||
|
Binding rules allow an operator to express a systematic way of automatically
|
||||||
|
linking [roles](/docs/acl/acl-system.html#acl-roles) and [service
|
||||||
|
identities](/docs/acl/acl-system.html#acl-service-identities) to newly created
|
||||||
|
tokens without operator intervention.
|
||||||
|
|
||||||
|
Successful authentication with an auth method returns a set of trusted
|
||||||
|
identity attributes corresponding to the authenticated identity. Those
|
||||||
|
attributes are matched against all configured binding rules for that auth
|
||||||
|
method to determine what privileges to grant the the Consul ACL token it will
|
||||||
|
ultimately create.
|
||||||
|
|
||||||
|
Each binding rule is composed of two portions:
|
||||||
|
|
||||||
|
- **Selector** - A logical query that must match the trusted identity
|
||||||
|
attributes for the binding rule to be applicable to a given login attempt.
|
||||||
|
The syntax uses github.com/hashicorp/go-bexpr which is shared with the [API
|
||||||
|
filtering feature](/api/features/filtering.html). For example:
|
||||||
|
`"serviceaccount.namespace==default and serviceaccount.name!=vault"`
|
||||||
|
|
||||||
|
- **Bind Type and Name** - A binding rule can bind a token to a
|
||||||
|
[role](/docs/acl/acl-system.html#acl-roles) or to a [service
|
||||||
|
identity](/docs/acl/acl-system.html#acl-service-identities) by name. The name
|
||||||
|
can be specified with a plain string or the bind name can be lightly
|
||||||
|
templated using [HIL syntax](https://github.com/hashicorp/hil) to interpolate
|
||||||
|
the same values that are usable by the `Selector` syntax. For example:
|
||||||
|
`"dev-${serviceaccount.name}"`
|
||||||
|
|
||||||
|
When multiple binding rules match, then all roles and service identities are
|
||||||
|
jointly linked to the token created by the login process.
|
||||||
|
|
||||||
|
## Overall Login Process
|
||||||
|
|
||||||
|
Applications are responsible for exchanging their auth method specific secret
|
||||||
|
bearer token for a Consul ACL token by using the login process:
|
||||||
|
|
||||||
|
![diagram of auth method login](/assets/images/auth-methods.svg)
|
||||||
|
|
||||||
|
1. Applications use the `consul login` subcommand or the [login API
|
||||||
|
endpoint](/api/acl/acl.html#login-to-auth-method) to authenticate to a
|
||||||
|
specific auth method using their local Consul client. Applications provide
|
||||||
|
both the name of the auth method and a secret bearer token during login.
|
||||||
|
|
||||||
|
2. The Consul client forwards login requests to the leading Consul server.
|
||||||
|
|
||||||
|
3. The Consul leader then uses auth method specific mechanisms to validate the
|
||||||
|
provided bearer token credentials.
|
||||||
|
|
||||||
|
4. Successful validation returns trusted identity attributes to the Consul
|
||||||
|
leader.
|
||||||
|
|
||||||
|
5. The Consul leader consults the configured set of binding rules associated
|
||||||
|
with the specified auth method and selects only those rules that match the
|
||||||
|
trusted identity attributes.
|
||||||
|
|
||||||
|
6. The Consul leader uses the matching binding rules to generate a list of
|
||||||
|
roles and service identities and assigns them to a token created exclusively
|
||||||
|
in the _local_ datacenter. If none are generated the login attempt fails.
|
||||||
|
|
||||||
|
7. The relevant `SecretID` and remaining details about the token are returned to
|
||||||
|
the originating Consul client.
|
||||||
|
|
||||||
|
8. The Consul client returns the token details back to the application.
|
||||||
|
|
||||||
|
9. (later) Applications SHOULD use the `consul logout` subcommand or the
|
||||||
|
[logout API endpoint](/api/acl/acl.html#logout-from-auth-method) to destroy
|
||||||
|
their token when it is no longer required.
|
||||||
|
|
||||||
|
For more details about specific auth methods and how to configure them, click
|
||||||
|
on the name of the auth method type in the sidebar.
|
|
@ -41,7 +41,7 @@ The most significant change is that rules with selectors _no longer prefix match
|
||||||
by default_. In the legacy system the following rules would grant access to
|
by default_. In the legacy system the following rules would grant access to
|
||||||
nodes, services and keys _prefixed_ with foo.
|
nodes, services and keys _prefixed_ with foo.
|
||||||
|
|
||||||
```
|
```hcl
|
||||||
node "foo" { policy = "write" }
|
node "foo" { policy = "write" }
|
||||||
service "foo" { policy = "write" }
|
service "foo" { policy = "write" }
|
||||||
key "foo" { policy = "write" }
|
key "foo" { policy = "write" }
|
||||||
|
@ -58,7 +58,7 @@ Prefix matching can be expressed in the new ACL system explicitly, making the
|
||||||
following rules in the new system exactly the same as the rules above in the
|
following rules in the new system exactly the same as the rules above in the
|
||||||
old.
|
old.
|
||||||
|
|
||||||
```
|
```hcl
|
||||||
node_prefix "foo" { policy = "write" }
|
node_prefix "foo" { policy = "write" }
|
||||||
service_prefix "foo" { policy = "write" }
|
service_prefix "foo" { policy = "write" }
|
||||||
key_prefix "foo" { policy = "write" }
|
key_prefix "foo" { policy = "write" }
|
||||||
|
@ -218,7 +218,7 @@ In Consul 0.9.1 and later, the agent ACL tokens can be introduced or updated via
|
||||||
|
|
||||||
Since the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token_legacy) is designed to be used when the Consul servers are not available, its policy is managed locally on the agent and does not need to have a token defined on the Consul servers via the ACL API. Once set, it implicitly has the following policy associated with it (the `node` policy was added in Consul 0.9.0):
|
Since the [`acl_agent_master_token`](/docs/agent/options.html#acl_agent_master_token_legacy) is designed to be used when the Consul servers are not available, its policy is managed locally on the agent and does not need to have a token defined on the Consul servers via the ACL API. Once set, it implicitly has the following policy associated with it (the `node` policy was added in Consul 0.9.0):
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
agent "<node name of agent>" {
|
agent "<node name of agent>" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
@ -240,7 +240,7 @@ The [`acl_agent_token`](/docs/agent/options.html#acl_agent_token) is a special t
|
||||||
|
|
||||||
Here's an example policy sufficient to accomplish the above for a node called `mynode`:
|
Here's an example policy sufficient to accomplish the above for a node called `mynode`:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
node "mynode" {
|
node "mynode" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
@ -617,7 +617,7 @@ machine-generate. Rules can make use of one or more policies.
|
||||||
|
|
||||||
Specification in the HCL format looks like:
|
Specification in the HCL format looks like:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
# These control access to the key/value store.
|
# These control access to the key/value store.
|
||||||
key "" {
|
key "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
|
@ -702,7 +702,7 @@ and [`service`](#service-rules) policies instead.
|
||||||
|
|
||||||
Agent rules look like this:
|
Agent rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
agent "" {
|
agent "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -731,7 +731,7 @@ firing events and listing events.
|
||||||
|
|
||||||
Event rules look like this:
|
Event rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
event "" {
|
event "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -754,7 +754,7 @@ give agents a token with access to this event prefix, in addition to configuring
|
||||||
The `key` policy controls access to key/value store operations in the [KV API](/api/kv.html). Key
|
The `key` policy controls access to key/value store operations in the [KV API](/api/kv.html). Key
|
||||||
rules look like this:
|
rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
key "" {
|
key "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -777,7 +777,7 @@ Consul 1.0 introduces a new `list` policy for keys that is only enforced when op
|
||||||
`list` controls access to recursively list entries and keys, and enables more fine grained policies. With "acl_enable_key_list_policy",
|
`list` controls access to recursively list entries and keys, and enables more fine grained policies. With "acl_enable_key_list_policy",
|
||||||
recursive reads via [the KV API](/api/kv.html#recurse) with an invalid token result in a 403. Example:
|
recursive reads via [the KV API](/api/kv.html#recurse) with an invalid token result in a 403. Example:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
key "" {
|
key "" {
|
||||||
policy = "deny"
|
policy = "deny"
|
||||||
}
|
}
|
||||||
|
@ -801,7 +801,7 @@ Consul Enterprise supports additional optional fields for key write policies for
|
||||||
[Sentinel](https://docs.hashicorp.com/sentinel/app/consul/) integration. An example key rule with a
|
[Sentinel](https://docs.hashicorp.com/sentinel/app/consul/) integration. An example key rule with a
|
||||||
Sentinel code policy looks like this:
|
Sentinel code policy looks like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
key "foo" {
|
key "foo" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
sentinel {
|
sentinel {
|
||||||
|
@ -838,7 +838,7 @@ operations like fetching the list of cluster members.
|
||||||
|
|
||||||
Node rules look like this:
|
Node rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
node "" {
|
node "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -911,7 +911,7 @@ policies, as will be explained below.
|
||||||
|
|
||||||
Query rules look like this:
|
Query rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
query "" {
|
query "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -1030,7 +1030,7 @@ and service discovery with the [Health API](/api/health.html).
|
||||||
|
|
||||||
Service rules look like this:
|
Service rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
service "" {
|
service "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -1086,7 +1086,7 @@ The `session` policy controls access to [Session API](/api/session.html) operati
|
||||||
|
|
||||||
Session rules look like this:
|
Session rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
session "" {
|
session "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
|
|
@ -82,7 +82,7 @@ The simplest and most automatic strategy is to create one new policy for every
|
||||||
existing token. This is easy to automate, but may result in a lot of policies
|
existing token. This is easy to automate, but may result in a lot of policies
|
||||||
with exactly the same rules and with non-human-readable names which will make
|
with exactly the same rules and with non-human-readable names which will make
|
||||||
managing policies harder. This approach can be accomplished using the [`consul
|
managing policies harder. This approach can be accomplished using the [`consul
|
||||||
acl policy create`](/docs/commands/acl/acl-policy.html#create) command with
|
acl policy create`](/docs/commands/acl/policy/create.html) command with
|
||||||
`-from-token` option.
|
`-from-token` option.
|
||||||
|
|
||||||
| Pros | Cons |
|
| Pros | Cons |
|
||||||
|
@ -112,7 +112,7 @@ semantics of the old ACL system.
|
||||||
To assist with this approach, there is a CLI tool and corresponding API that can
|
To assist with this approach, there is a CLI tool and corresponding API that can
|
||||||
translate a legacy ACL token's rules into a new ACL policy that is exactly
|
translate a legacy ACL token's rules into a new ACL policy that is exactly
|
||||||
equivalent. See [`consul acl
|
equivalent. See [`consul acl
|
||||||
translate-rules`](/docs/commands/acl/acl-translate-rules.html).
|
translate-rules`](/docs/commands/acl/translate-rules.html).
|
||||||
|
|
||||||
| Pros | Cons |
|
| Pros | Cons |
|
||||||
| ---- | ---- |
|
| ---- | ---- |
|
||||||
|
@ -141,7 +141,7 @@ endpoint. Specifically, ensure that the `Rules` field is omitted or empty. Empty
|
||||||
|
|
||||||
#### Update via CLI
|
#### Update via CLI
|
||||||
|
|
||||||
Use the [`consul acl token update`](/docs/commands/acl/acl-token.html#update)
|
Use the [`consul acl token update`](/docs/commands/acl/token/update.html)
|
||||||
command to update the token. Specifically you need to use `-upgrade-legacy`
|
command to update the token. Specifically you need to use `-upgrade-legacy`
|
||||||
which will ensure that legacy rules are removed as well as the new policies
|
which will ensure that legacy rules are removed as well as the new policies
|
||||||
added.
|
added.
|
||||||
|
|
|
@ -57,7 +57,7 @@ machine-generate. Rules can make use of one or more policies.
|
||||||
|
|
||||||
Specification in the HCL format looks like:
|
Specification in the HCL format looks like:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
# These control access to the key/value store.
|
# These control access to the key/value store.
|
||||||
key_prefix "" {
|
key_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
|
@ -79,7 +79,7 @@ operator = "read"
|
||||||
|
|
||||||
This is equivalent to the following JSON input:
|
This is equivalent to the following JSON input:
|
||||||
|
|
||||||
```javascript
|
```json
|
||||||
{
|
{
|
||||||
"key_prefix": {
|
"key_prefix": {
|
||||||
"": {
|
"": {
|
||||||
|
@ -154,7 +154,7 @@ The `acl` resource controls access to ACL operations in the
|
||||||
|
|
||||||
ACL rules look like this:
|
ACL rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
acl = "write"
|
acl = "write"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -170,7 +170,7 @@ and [`service` or `service_prefix`](#service-rules) policies instead.
|
||||||
|
|
||||||
Agent rules look like this:
|
Agent rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
agent_prefix "" {
|
agent_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -199,7 +199,7 @@ firing events and listing events.
|
||||||
|
|
||||||
Event rules look like this:
|
Event rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
event_prefix "" {
|
event_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -221,7 +221,7 @@ give agents a token with access to this event prefix, in addition to configuring
|
||||||
The `key` and `key_prefix` resources control access to key/value store operations in the [KV API](/api/kv.html). Key
|
The `key` and `key_prefix` resources control access to key/value store operations in the [KV API](/api/kv.html). Key
|
||||||
rules look like this:
|
rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
key_prefix "" {
|
key_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -242,7 +242,7 @@ Consul 1.0 introduces a new `list` policy for keys that is only enforced when op
|
||||||
`list` controls access to recursively list entries and keys, and enables more fine grained policies. With "acl.enable_key_list_policy",
|
`list` controls access to recursively list entries and keys, and enables more fine grained policies. With "acl.enable_key_list_policy",
|
||||||
recursive reads via [the KV API](/api/kv.html#recurse) with an invalid token result in a 403. Example:
|
recursive reads via [the KV API](/api/kv.html#recurse) with an invalid token result in a 403. Example:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
key_prefix "" {
|
key_prefix "" {
|
||||||
policy = "deny"
|
policy = "deny"
|
||||||
}
|
}
|
||||||
|
@ -266,7 +266,7 @@ Consul Enterprise supports additional optional fields for key write policies for
|
||||||
[Sentinel](https://docs.hashicorp.com/sentinel/app/consul/) integration. An example key rule with a
|
[Sentinel](https://docs.hashicorp.com/sentinel/app/consul/) integration. An example key rule with a
|
||||||
Sentinel code policy looks like this:
|
Sentinel code policy looks like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
key "foo" {
|
key "foo" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
sentinel {
|
sentinel {
|
||||||
|
@ -288,7 +288,7 @@ The `keyring` resource controls access to keyring operations in the
|
||||||
|
|
||||||
Keyring rules look like this:
|
Keyring rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
keyring = "write"
|
keyring = "write"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -303,7 +303,7 @@ operations like fetching the list of cluster members.
|
||||||
|
|
||||||
Node rules look like this:
|
Node rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
node_prefix "" {
|
node_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -358,7 +358,7 @@ The `operator` resource controls access to cluster-level operations in the
|
||||||
|
|
||||||
Operator rules look like this:
|
Operator rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
operator = "read"
|
operator = "read"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -374,7 +374,7 @@ policies, as will be explained below.
|
||||||
|
|
||||||
Query rules look like this:
|
Query rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
query_prefix "" {
|
query_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -491,7 +491,7 @@ and service discovery with the [Health API](/api/health.html).
|
||||||
|
|
||||||
Service rules look like this:
|
Service rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
service_prefix "" {
|
service_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
@ -546,7 +546,7 @@ The `session` and `session_prefix` resources controls access to [Session API](/a
|
||||||
|
|
||||||
Session rules look like this:
|
Session rules look like this:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
session_prefix "" {
|
session_prefix "" {
|
||||||
policy = "read"
|
policy = "read"
|
||||||
}
|
}
|
||||||
|
|
|
@ -27,16 +27,35 @@ At the highest level, there are two major components to the ACL system:
|
||||||
Accessor ID which is used to name a token, and a Secret ID which is used as the bearer token used to
|
Accessor ID which is used to name a token, and a Secret ID which is used as the bearer token used to
|
||||||
make requests to Consul.
|
make requests to Consul.
|
||||||
|
|
||||||
ACL tokens and policies are managed by Consul operators via Consul's
|
For many scenarios policies and tokens are sufficient, but more advanced setups
|
||||||
[ACL API](/api/acl/acl.html), [ACL CLI](/docs/commands/acl.html), or systems like
|
may benefit from additional components in the ACL system:
|
||||||
|
|
||||||
|
* **ACL Roles** - Roles allow for the grouping of a set of policies and service
|
||||||
|
identities into a reusable higher-level entity that can be applied to many
|
||||||
|
tokens. (Added in Consul 1.5.0)
|
||||||
|
|
||||||
|
* **ACL Service Identities** - Service identities are a policy template for
|
||||||
|
expressing a link to a policy suitable for use in [Consul
|
||||||
|
Connect](/docs/connect/index.html). At authorization time this acts like an
|
||||||
|
additional policy was attached, the contents of which are described further
|
||||||
|
below. These are directly attached to tokens and roles and are not
|
||||||
|
independently configured. (Added in Consul 1.5.0)
|
||||||
|
|
||||||
|
* **ACL Auth Methods and Binding Rules** - To learn more about these topics,
|
||||||
|
see the [dedicated auth methods documentation page](/docs/acl/acl-auth-methods.html).
|
||||||
|
|
||||||
|
ACL tokens, policies, roles, auth methods, and binding rules are managed by
|
||||||
|
Consul operators via Consul's [ACL API](/api/acl/acl.html),
|
||||||
|
[ACL CLI](/docs/commands/acl.html), or systems like
|
||||||
[HashiCorp's Vault](https://www.vaultproject.io/docs/secrets/consul/index.html).
|
[HashiCorp's Vault](https://www.vaultproject.io/docs/secrets/consul/index.html).
|
||||||
|
|
||||||
### ACL Policies
|
### ACL Policies
|
||||||
|
|
||||||
An ACL policy is a named set of rules and is composed of the following elements:
|
An ACL policy is a named set of rules and is composed of the following elements:
|
||||||
|
|
||||||
* **ID** - The policies auto-generated public identifier.
|
* **ID** - The policy's auto-generated public identifier.
|
||||||
* **Name** - A unique meaningful name for the policy.
|
* **Name** - A unique meaningful name for the policy.
|
||||||
|
* **Description** - A human readable description of the policy. (Optional)
|
||||||
* **Rules** - Set of rules granting or denying permissions. See the [Rule Specification](/docs/acl/acl-rules.html#rule-specification) documentation for more details.
|
* **Rules** - Set of rules granting or denying permissions. See the [Rule Specification](/docs/acl/acl-rules.html#rule-specification) documentation for more details.
|
||||||
* **Datacenters** - A list of datacenters the policy is valid within.
|
* **Datacenters** - A list of datacenters the policy is valid within.
|
||||||
|
|
||||||
|
@ -46,6 +65,59 @@ An ACL policy is a named set of rules and is composed of the following elements:
|
||||||
and will be assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. This policy can be renamed but modification
|
and will be assigned the reserved ID of `00000000-0000-0000-0000-000000000001`. This policy can be renamed but modification
|
||||||
of anything else including the rule set and datacenter scoping will be prevented by Consul.
|
of anything else including the rule set and datacenter scoping will be prevented by Consul.
|
||||||
|
|
||||||
|
### ACL Service Identities
|
||||||
|
|
||||||
|
-> Added in Consul 1.5.0
|
||||||
|
|
||||||
|
An ACL service identity is an [ACL policy](/docs/acl/acl-system.html#acl-policies) template for expressing a link to a policy
|
||||||
|
suitable for use in [Consul Connect](/docs/connect/index.html). They are usable
|
||||||
|
on both tokens and roles and are composed of the following elements:
|
||||||
|
|
||||||
|
* **Service Name** - The name of the service.
|
||||||
|
* **Datacenters** - A list of datacenters the effective policy is valid within. (Optional)
|
||||||
|
|
||||||
|
Services participating in the service mesh will need privileges to both _be
|
||||||
|
discovered_ and to _discover other healthy service instances_. Suitable
|
||||||
|
policies tend to all look nearly identical so a service identity is a policy
|
||||||
|
template to aid in avoiding boilerplate policy creation.
|
||||||
|
|
||||||
|
At authorization time a service identity acts like an additional policy was
|
||||||
|
attached to the token with the following contents:
|
||||||
|
|
||||||
|
```hcl
|
||||||
|
// Allow the service and its sidecar proxy to register into the catalog.
|
||||||
|
service "<Service Name>" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
service "<Service Name>-sidecar-proxy" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
// Allow for any potential upstreams to be resolved.
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
The [API documentation for roles](/api/acl/roles.html#sample-payload) has some
|
||||||
|
examples of using a service identity.
|
||||||
|
|
||||||
|
### ACL Roles
|
||||||
|
|
||||||
|
-> Added in Consul 1.5.0
|
||||||
|
|
||||||
|
An ACL role is a named set of policies and service identities and is composed
|
||||||
|
of the following elements:
|
||||||
|
|
||||||
|
* **ID** - The role's auto-generated public identifier.
|
||||||
|
* **Name** - A unique meaningful name for the role.
|
||||||
|
* **Description** - A human readable description of the role. (Optional)
|
||||||
|
* **Policy Set** - The list of policies that are applicable for the role.
|
||||||
|
* **Service Identity Set** - The list of service identities that are applicable for the role.
|
||||||
|
|
||||||
### ACL Tokens
|
### ACL Tokens
|
||||||
|
|
||||||
ACL tokens are used to determine if the caller is authorized to perform an action. An ACL token is composed of the following
|
ACL tokens are used to determine if the caller is authorized to perform an action. An ACL token is composed of the following
|
||||||
|
@ -55,8 +127,11 @@ elements:
|
||||||
* **Secret ID** -The bearer token used when making requests to Consul.
|
* **Secret ID** -The bearer token used when making requests to Consul.
|
||||||
* **Description** - A human readable description of the token. (Optional)
|
* **Description** - A human readable description of the token. (Optional)
|
||||||
* **Policy Set** - The list of policies that are applicable for the token.
|
* **Policy Set** - The list of policies that are applicable for the token.
|
||||||
|
* **Role Set** - The list of roles that are applicable for the token. (Added in Consul 1.5.0)
|
||||||
|
* **Service Identity Set** - The list of service identities that are applicable for the token. (Added in Consul 1.5.0)
|
||||||
* **Locality** - Indicates whether the token should be local to the datacenter it was created within or created in
|
* **Locality** - Indicates whether the token should be local to the datacenter it was created within or created in
|
||||||
the primary datacenter and globally replicated.
|
the primary datacenter and globally replicated.
|
||||||
|
* **Expiration Time** - The time at which this token is revoked. (Optional; Added in Consul 1.5.0)
|
||||||
|
|
||||||
#### Builtin Tokens
|
#### Builtin Tokens
|
||||||
|
|
||||||
|
@ -64,7 +139,7 @@ During cluster bootstrapping when ACLs are enabled both the special `anonymous`
|
||||||
injected.
|
injected.
|
||||||
|
|
||||||
* **Anonymous Token** - The anonymous token is used when a request is made to Consul without specifying a bearer token.
|
* **Anonymous Token** - The anonymous token is used when a request is made to Consul without specifying a bearer token.
|
||||||
The anonymous token's description and policies may be updated but Consul will prevent this tokens deletion. When created,
|
The anonymous token's description and policies may be updated but Consul will prevent this token's deletion. When created,
|
||||||
it will be assigned `00000000-0000-0000-0000-000000000002` for its Accessor ID and `anonymous` for its Secret ID.
|
it will be assigned `00000000-0000-0000-0000-000000000002` for its Accessor ID and `anonymous` for its Secret ID.
|
||||||
|
|
||||||
* **Master Token** - When a master token is present within the Consul configuration, it is created and will be linked
|
* **Master Token** - When a master token is present within the Consul configuration, it is created and will be linked
|
||||||
|
@ -78,7 +153,9 @@ The token Secret ID is passed along with each RPC request to the servers. Consul
|
||||||
query string parameter, the `X-Consul-Token` request header, or an
|
query string parameter, the `X-Consul-Token` request header, or an
|
||||||
[RFC6750](https://tools.ietf.org/html/rfc6750) authorization bearer token. Consul's
|
[RFC6750](https://tools.ietf.org/html/rfc6750) authorization bearer token. Consul's
|
||||||
[CLI commands](/docs/commands/index.html) can accept tokens via the
|
[CLI commands](/docs/commands/index.html) can accept tokens via the
|
||||||
`token` argument, or the `CONSUL_HTTP_TOKEN` environment variable.
|
`token` argument, or the `CONSUL_HTTP_TOKEN` environment variable. The CLI
|
||||||
|
commands can also accept token values stored in files with the `token-file`
|
||||||
|
argument, or the `CONSUL_HTTP_TOKEN_FILE` environment variable.
|
||||||
|
|
||||||
If no token is provided for an HTTP request then Consul will use the default ACL token
|
If no token is provided for an HTTP request then Consul will use the default ACL token
|
||||||
if it has been configured. If no default ACL token was configured then the anonymous
|
if it has been configured. If no default ACL token was configured then the anonymous
|
||||||
|
@ -86,7 +163,7 @@ token will be used.
|
||||||
|
|
||||||
#### ACL Rules and Scope
|
#### ACL Rules and Scope
|
||||||
|
|
||||||
The rules from all policies linked with a token are combined to form that token's
|
The rules from all policies, roles, and service identities linked with a token are combined to form that token's
|
||||||
effective rule set. Policy rules can be defined in either a whitelist or blacklist
|
effective rule set. Policy rules can be defined in either a whitelist or blacklist
|
||||||
mode depending on the configuration of [`acl_default_policy`](/docs/agent/options.html#acl_default_policy).
|
mode depending on the configuration of [`acl_default_policy`](/docs/agent/options.html#acl_default_policy).
|
||||||
If the default policy is to "deny" access to all resources, then policy rules can be set to
|
If the default policy is to "deny" access to all resources, then policy rules can be set to
|
||||||
|
@ -137,6 +214,7 @@ as to whether they are set on servers, clients, or both.
|
||||||
| [`acl.enabled`](/docs/agent/options.html#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
|
| [`acl.enabled`](/docs/agent/options.html#acl_enabled) | `REQUIRED` | `REQUIRED` | Controls whether ACLs are enabled |
|
||||||
| [`acl.default_policy`](/docs/agent/options.html#acl_default_policy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode |
|
| [`acl.default_policy`](/docs/agent/options.html#acl_default_policy) | `OPTIONAL` | `N/A` | Determines whitelist or blacklist mode |
|
||||||
| [`acl.down_policy`](/docs/agent/options.html#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
|
| [`acl.down_policy`](/docs/agent/options.html#acl_down_policy) | `OPTIONAL` | `OPTIONAL` | Determines what to do when the remote token or policy resolution fails |
|
||||||
|
| [`acl.role_ttl`](/docs/agent/options.html#acl_role_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Roles |
|
||||||
| [`acl.policy_ttl`](/docs/agent/options.html#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |
|
| [`acl.policy_ttl`](/docs/agent/options.html#acl_policy_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Policies |
|
||||||
| [`acl.token_ttl`](/docs/agent/options.html#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens |
|
| [`acl.token_ttl`](/docs/agent/options.html#acl_token_ttl) | `OPTIONAL` | `OPTIONAL` | Determines time-to-live for cached ACL Tokens |
|
||||||
|
|
||||||
|
@ -156,7 +234,7 @@ All of these tokens except the `master` token can all be introduced or updated v
|
||||||
|
|
||||||
Since the [`acl.tokens.agent_master`](/docs/agent/options.html#acl_tokens_agent_master) is designed to be used when the Consul servers are not available, its policy is managed locally on the agent and does not need to have a token defined on the Consul servers via the ACL API. Once set, it implicitly has the following policy associated with it
|
Since the [`acl.tokens.agent_master`](/docs/agent/options.html#acl_tokens_agent_master) is designed to be used when the Consul servers are not available, its policy is managed locally on the agent and does not need to have a token defined on the Consul servers via the ACL API. Once set, it implicitly has the following policy associated with it
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
agent "<node name of agent>" {
|
agent "<node name of agent>" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
@ -175,7 +253,7 @@ The [`acl.tokens.agent`](/docs/agent/options.html#acl_tokens_agent) is a special
|
||||||
|
|
||||||
Here's an example policy sufficient to accomplish the above for a node called `mynode`:
|
Here's an example policy sufficient to accomplish the above for a node called `mynode`:
|
||||||
|
|
||||||
```text
|
```hcl
|
||||||
node "mynode" {
|
node "mynode" {
|
||||||
policy = "write"
|
policy = "write"
|
||||||
}
|
}
|
||||||
|
|
|
@ -0,0 +1,137 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Kubernetes Auth Method"
|
||||||
|
sidebar_current: "docs-acl-auth-methods-kubernetes"
|
||||||
|
description: |-
|
||||||
|
The Kubernetes auth method type allows for a Kubernetes service account token to be used to authenticate to Consul. This method of authentication makes it easy to introduce a Consul token into a Kubernetes pod.
|
||||||
|
---
|
||||||
|
|
||||||
|
-> **1.5.0+:** This guide only applies in Consul versions 1.5.0 and newer.
|
||||||
|
|
||||||
|
# Kubernetes Auth Method
|
||||||
|
|
||||||
|
The `kubernetes` auth method type allows for a Kubernetes service account token
|
||||||
|
to be used to authenticate to Consul. This method of authentication makes it
|
||||||
|
easy to introduce a Consul token into a Kubernetes pod.
|
||||||
|
|
||||||
|
This page assumes general knowledge of [Kubernetes](https://kubernetes.io/) and
|
||||||
|
the concepts described in the main [auth method
|
||||||
|
documentation](/docs/acl/acl-auth-methods.html).
|
||||||
|
|
||||||
|
## Config Parameters
|
||||||
|
|
||||||
|
The following auth method [`Config`](/api/acl/auth-methods.html#config)
|
||||||
|
parameters are required to properly configure an auth method of type
|
||||||
|
`kubernetes`:
|
||||||
|
|
||||||
|
- `Host` `(string: <required>)` - Must be a host string, a host:port pair, or a
|
||||||
|
URL to the base of the Kubernetes API server.
|
||||||
|
|
||||||
|
- `CACert` `(string: <required>)` - PEM encoded CA cert for use by the TLS
|
||||||
|
client used to talk with the Kubernetes API. NOTE: Every line must end with a
|
||||||
|
newline (`\n`).
|
||||||
|
|
||||||
|
- `ServiceAccountJWT` `(string: <required>)` - A Service Account Token
|
||||||
|
([JWT](https://jwt.io/ "JSON Web Token")) used by the Consul leader to
|
||||||
|
validate application JWTs during login.
|
||||||
|
|
||||||
|
### Sample Config
|
||||||
|
|
||||||
|
```json
|
||||||
|
{
|
||||||
|
...other fields...
|
||||||
|
"Config": {
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI6IiJ9..."
|
||||||
|
}
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
## RBAC
|
||||||
|
|
||||||
|
The Kubernetes service account corresponding to the configured
|
||||||
|
[`ServiceAccountJWT`](/docs/acl/auth-methods/kubernetes.html#serviceaccountjwt)
|
||||||
|
needs to have access to two Kubernetes APIs:
|
||||||
|
|
||||||
|
- [**TokenReview**](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#create-tokenreview-v1-authentication-k8s-io)
|
||||||
|
|
||||||
|
-> Kubernetes should be running with `--service-account-lookup`. This is
|
||||||
|
defaulted to true in Kubernetes 1.7, but any versions prior should ensure
|
||||||
|
the Kubernetes API server is started with this setting.
|
||||||
|
|
||||||
|
- [**ServiceAccount**](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#read-serviceaccount-v1-core)
|
||||||
|
(`get`)
|
||||||
|
|
||||||
|
The following is an example
|
||||||
|
[RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)
|
||||||
|
configuration snippet to grant the necessary permissions to a service account
|
||||||
|
named `consul-auth-method-example`:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: review-tokens
|
||||||
|
namespace: default
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: consul-auth-method-example
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: system:auth-delegator
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
kind: ClusterRole
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: service-account-getter
|
||||||
|
namespace: default
|
||||||
|
rules:
|
||||||
|
- apiGroups: [""]
|
||||||
|
resources: ["serviceaccounts"]
|
||||||
|
verbs: ["get"]
|
||||||
|
---
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: get-service-accounts
|
||||||
|
namespace: default
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: consul-auth-method-example
|
||||||
|
namespace: default
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: service-account-getter
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
```
|
||||||
|
|
||||||
|
## Trusted Identity Attributes
|
||||||
|
|
||||||
|
The authentication step returns the following trusted identity attributes for
|
||||||
|
use in binding rule selectors and bind name interpolation.
|
||||||
|
|
||||||
|
| Attributes | Supported Selector Operations | Can be Interpolated |
|
||||||
|
| -------------------------- | ---------------------------------- | ------------------- |
|
||||||
|
| `serviceaccount.namespace` | Equal, Not Equal | yes |
|
||||||
|
| `serviceaccount.name` | Equal, Not Equal | yes |
|
||||||
|
| `serviceaccount.uid` | Equal, Not Equal | yes |
|
||||||
|
|
||||||
|
## Kubernetes Authentication Details
|
||||||
|
|
||||||
|
Initially the
|
||||||
|
[`ServiceAccountJWT`](/docs/acl/auth-methods/kubernetes.html#serviceaccountjwt)
|
||||||
|
given to the Consul leader uses the TokenReview API to validate the provided
|
||||||
|
JWT. The trusted attributes of `serviceaccount.namespace`,
|
||||||
|
`serviceaccount.name`, and `serviceaccount.uid` are populated directly from the
|
||||||
|
Service Account metadata.
|
||||||
|
|
||||||
|
The Consul leader makes an additional query, this time to the ServiceAccount
|
||||||
|
API to check for the existence of an annotation of
|
||||||
|
`consul.hashicorp.com/service-name` on the ServiceAccount object. If one is
|
||||||
|
found its value will override the trusted attribute of `serviceaccount.name`
|
||||||
|
for the purposes of evaluating any binding rules.
|
||||||
|
|
|
@ -529,6 +529,12 @@ default will automatically work with some tooling.
|
||||||
it reduces the number of refreshes. However, because the caches are not actively invalidated,
|
it reduces the number of refreshes. However, because the caches are not actively invalidated,
|
||||||
ACL policy may be stale up to the TTL value.
|
ACL policy may be stale up to the TTL value.
|
||||||
|
|
||||||
|
* <a name="acl_role_ttl"></a><a href="#acl_role_ttl">`role_ttl`</a> - Used to control
|
||||||
|
Time-To-Live caching of ACL roles. By default, this is 30 seconds. This setting has a
|
||||||
|
major performance impact: reducing it will cause more frequent refreshes while increasing
|
||||||
|
it reduces the number of refreshes. However, because the caches are not actively invalidated,
|
||||||
|
ACL role may be stale up to the TTL value.
|
||||||
|
|
||||||
* <a name="acl_token_ttl"></a><a href="#acl_token_ttl">`token_ttl`</a> - Used to control
|
* <a name="acl_token_ttl"></a><a href="#acl_token_ttl">`token_ttl`</a> - Used to control
|
||||||
Time-To-Live caching of ACL tokens. By default, this is 30 seconds. This setting has a
|
Time-To-Live caching of ACL tokens. By default, this is 30 seconds. This setting has a
|
||||||
major performance impact: reducing it will cause more frequent refreshes while increasing
|
major performance impact: reducing it will cause more frequent refreshes while increasing
|
||||||
|
|
|
@ -29,3 +29,8 @@
|
||||||
* `-token=<value>` - ACL token to use in the request. This can also be specified
|
* `-token=<value>` - ACL token to use in the request. This can also be specified
|
||||||
via the `CONSUL_HTTP_TOKEN` environment variable. If unspecified, the query
|
via the `CONSUL_HTTP_TOKEN` environment variable. If unspecified, the query
|
||||||
will default to the token of the Consul agent at the HTTP address.
|
will default to the token of the Consul agent at the HTTP address.
|
||||||
|
|
||||||
|
* `-token-file=<value>` - File containing the ACL token to use in the request
|
||||||
|
instead of one specified via the `-token` argument or `CONSUL_HTTP_TOKEN`
|
||||||
|
environment variable. This can also be specified via the
|
||||||
|
`CONSUL_HTTP_TOKEN_FILE` environment variable.
|
||||||
|
|
|
@ -75,11 +75,11 @@ Usage: consul acl <subcommand> [options] [args]
|
||||||
|
|
||||||
$ consul acl bootstrap
|
$ consul acl bootstrap
|
||||||
|
|
||||||
List all ACL Tokens:
|
List all ACL tokens:
|
||||||
|
|
||||||
$ consul acl token list
|
$ consul acl token list
|
||||||
|
|
||||||
Create a new ACL Policy:
|
Create a new ACL policy:
|
||||||
|
|
||||||
$ consul acl policy create -name "new-policy" \
|
$ consul acl policy create -name "new-policy" \
|
||||||
-description "This is an example policy" \
|
-description "This is an example policy" \
|
||||||
|
@ -94,10 +94,13 @@ Usage: consul acl <subcommand> [options] [args]
|
||||||
For more examples, ask for subcommand help or view the documentation.
|
For more examples, ask for subcommand help or view the documentation.
|
||||||
|
|
||||||
Subcommands:
|
Subcommands:
|
||||||
|
auth-method Manage Consul's ACL auth methods
|
||||||
|
binding-rule Manage Consul's ACL binding rules
|
||||||
bootstrap Bootstrap Consul's ACL system
|
bootstrap Bootstrap Consul's ACL system
|
||||||
policy Manage Consul's ACL Policies
|
policy Manage Consul's ACL policies
|
||||||
set-agent-token Interact with the Consul's ACLs
|
role Manage Consul's ACL roles
|
||||||
token Manage Consul's ACL Tokens
|
set-agent-token Assign tokens for the Consul Agent's usage
|
||||||
|
token Manage Consul's ACL tokens
|
||||||
translate-rules Translate the legacy rule syntax into the current syntax
|
translate-rules Translate the legacy rule syntax into the current syntax
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
@ -1,433 +0,0 @@
|
||||||
---
|
|
||||||
layout: "docs"
|
|
||||||
page_title: "Commands: ACL Policy Management"
|
|
||||||
sidebar_current: "docs-commands-acl-policy"
|
|
||||||
---
|
|
||||||
|
|
||||||
# Consul ACL Policies
|
|
||||||
|
|
||||||
Command: `consul acl policy`
|
|
||||||
|
|
||||||
The `acl policy` command is used to manage Consul's ACL policies. There are
|
|
||||||
subcommands for the individual operations that can be performed.
|
|
||||||
|
|
||||||
* [`create`](#create)
|
|
||||||
* [`read`](#read)
|
|
||||||
* [`update`](#update)
|
|
||||||
* [`delete`](#delete)
|
|
||||||
* [`list`](#list)
|
|
||||||
|
|
||||||
ACL policies are also accessible via the [HTTP API](/api/acl/acl.html).
|
|
||||||
|
|
||||||
Usage: `consul acl policy <subcommand> [options] [args]`
|
|
||||||
|
|
||||||
-> **Note:** All of the examples show for the subcommands will require a valid Consul token with the appropriate permissions.
|
|
||||||
Either set the `CONSUL_HTTP_TOKEN` environment variable to the tokens secret ID or pass the secret ID as the value of the `-token`
|
|
||||||
parameter.
|
|
||||||
|
|
||||||
## Identifying Policies
|
|
||||||
|
|
||||||
In several of the subcommands a policy will have to be identified to be read, modified or deleted. Those subcommands support
|
|
||||||
specifying the policy by its ID using the `-id` parameter or by name using the `-name` parameter. When specifying the policy
|
|
||||||
by its ID a unique policy ID prefix may be specified instead of the entire UUID. As long as it is unique it will be resolved
|
|
||||||
to the full UUID and used. Additionally builtin policy names will be accepted as the value to the `-id` parameter. Even if
|
|
||||||
the builtin policies are renamed their original name can be used to operate on them.
|
|
||||||
|
|
||||||
Builtin Policies:
|
|
||||||
|
|
||||||
| Policy UUID | Policy Name |
|
|
||||||
| ------------------------------------ | ----------------- |
|
|
||||||
| 00000000-0000-0000-0000-000000000001 | global-management |
|
|
||||||
|
|
||||||
## Common Subcommand Options
|
|
||||||
|
|
||||||
All of the `consul acl policy` subcommands support the following options:
|
|
||||||
|
|
||||||
<%= partial "docs/commands/http_api_options_client" %>
|
|
||||||
<%= partial "docs/commands/http_api_options_server" %>
|
|
||||||
|
|
||||||
## `create`
|
|
||||||
|
|
||||||
Command: `consul acl policy create`
|
|
||||||
|
|
||||||
This command creates new policies. The policies rules can either be set explicitly or the
|
|
||||||
`-from-token` parameter may be used to load the rules from a legacy ACL token. When loading
|
|
||||||
the rules from an existing legacy ACL token, the rules get translated from the legacy syntax
|
|
||||||
to the new syntax.
|
|
||||||
|
|
||||||
Both the `-rules` and `-from-token` parameter values allow loading the value
|
|
||||||
from stdin, a file or the raw value. To use stdin pass `-` as the value.
|
|
||||||
To load the value from a file prefix the value with an `@`. Any other
|
|
||||||
values will be used directly.
|
|
||||||
|
|
||||||
-> **Deprecated:** The `-from-token` and `-token-secret` arguments exist only as a convenience
|
|
||||||
to make legacy ACL migration easier. These will be removed in a future major release when
|
|
||||||
support for the legacy ACL system is removed.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl policy create [options] [args]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-description=<string>` - A description of the policy.
|
|
||||||
|
|
||||||
* `-from-token=<string>` - The legacy token to retrieve the rules for when creating this
|
|
||||||
policy. When this is specified no other rules should be given.
|
|
||||||
Similar to the -rules option the token to use can be loaded from
|
|
||||||
stdin or from a file.
|
|
||||||
|
|
||||||
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
|
||||||
indices should be shown for each entry.
|
|
||||||
|
|
||||||
* `-name=<string>` - The new policy's name. This flag is required.
|
|
||||||
|
|
||||||
* `-rules=<string>` - The policy rules. May be prefixed with '@' to indicate that the
|
|
||||||
value is a file path to load the rules from. '-' may also be given
|
|
||||||
to indicate that the rules are available on stdin.
|
|
||||||
|
|
||||||
* `-token-secret` - Indicates the token provided with -from-token is a SecretID and not
|
|
||||||
an AccessorID.
|
|
||||||
|
|
||||||
* `-valid-datacenter=<value>` - Datacenter that the policy should be valid within.
|
|
||||||
This flag may be specified multiple times.
|
|
||||||
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Create a new policy that is valid in all datacenters:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy create -name "acl-replication" -description "Policy capable of replicating ACL policies" -rules 'acl = "read"'
|
|
||||||
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
|
||||||
Name: acl-replication
|
|
||||||
Description: Policy capable of replicating ACL policies
|
|
||||||
Datacenters:
|
|
||||||
Rules:
|
|
||||||
acl = "read"
|
|
||||||
```
|
|
||||||
|
|
||||||
Create a new policy valid only in specific datacenters with rules read from a file:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy create -name "replication" -description "Replication" -rules @rules.hcl -valid-datacenter dc1 -valid-datacenter dc2
|
|
||||||
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
|
|
||||||
Name: replication
|
|
||||||
Description: Replication
|
|
||||||
Datacenters: dc1, dc2
|
|
||||||
Rules:
|
|
||||||
acl = "read"
|
|
||||||
service_prefix "" {
|
|
||||||
policy = "read"
|
|
||||||
intentions = "read"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Create a new policy with rules equivalent to that of a legacy ACL token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy create -name "node-services-read" -from-token 5793a5ce -description "Can read any node and service"
|
|
||||||
ID: 06acc965-df4b-5a99-58cb-3250930c6324
|
|
||||||
Name: node-services-read
|
|
||||||
Description: Can read any node and service
|
|
||||||
Datacenters:
|
|
||||||
Rules:
|
|
||||||
service_prefix "" {
|
|
||||||
policy = "read"
|
|
||||||
}
|
|
||||||
|
|
||||||
node_prefix "" {
|
|
||||||
policy = "read"
|
|
||||||
}
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
## `read`
|
|
||||||
|
|
||||||
Command: `consul acl policy read`
|
|
||||||
|
|
||||||
This command reads and displays a policies details.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl policy read [options] [args]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-id=<string>` - The ID of the policy to read. It may be specified as a unique ID
|
|
||||||
prefix but will error if the prefix matches multiple policy IDs.
|
|
||||||
|
|
||||||
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
|
||||||
indices should be shown for each entry.
|
|
||||||
|
|
||||||
* `-name=<string>` - The name of the policy to read.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Get policy details:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy read -id 00000000-0000-0000-0000-000000000001
|
|
||||||
ID: 00000000-0000-0000-0000-000000000001
|
|
||||||
Name: global-management
|
|
||||||
Description: Builtin Policy that grants unlimited access
|
|
||||||
Datacenters:
|
|
||||||
Rules:
|
|
||||||
|
|
||||||
acl = "write"
|
|
||||||
agent_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
event_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
key_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
keyring = "write"
|
|
||||||
node_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
operator = "write"
|
|
||||||
query_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
service_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
intentions = "write"
|
|
||||||
}
|
|
||||||
session_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Get policy details by name:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy read -name "acl-replication"
|
|
||||||
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
|
||||||
Name: acl-replication
|
|
||||||
Description: Token capable of replicating ACL policies
|
|
||||||
Datacenters:
|
|
||||||
Rules:
|
|
||||||
acl = "read"
|
|
||||||
```
|
|
||||||
|
|
||||||
Get policy details (Builtin Policies):
|
|
||||||
|
|
||||||
Builtin policies can be accessed by specifying their original name as the value to the `-id` parameter.
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy read -id global-management
|
|
||||||
ID: 00000000-0000-0000-0000-000000000001
|
|
||||||
Name: global-management
|
|
||||||
Description: Builtin Policy that grants unlimited access
|
|
||||||
Datacenters:
|
|
||||||
Hash: b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
|
|
||||||
Create Index: 4
|
|
||||||
Modify Index: 4
|
|
||||||
Rules:
|
|
||||||
|
|
||||||
acl = "write"
|
|
||||||
agent_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
event_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
key_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
keyring = "write"
|
|
||||||
node_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
operator = "write"
|
|
||||||
query_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
service_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
intentions = "write"
|
|
||||||
}
|
|
||||||
session_prefix "" {
|
|
||||||
policy = "write"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
## `update`
|
|
||||||
|
|
||||||
Command: `consul acl policy update`
|
|
||||||
|
|
||||||
This command is used to update a policy. The default operations is to merge the current policy
|
|
||||||
with those values provided to the command invocation. Therefore to update just one field, only
|
|
||||||
the `-id` or `-name` options and the option to modify must be provided. Note that renaming
|
|
||||||
policies requires both the `-id` and `-name` as the new name cannot yet be used to lookup the
|
|
||||||
policy.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl policy update [options] [args]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-description=<string>` - A description of the policy.
|
|
||||||
|
|
||||||
* `-id=<string>` - The ID of the policy to update. It may be specified as a
|
|
||||||
unique ID prefix but will error if the prefix matches multiple policy IDs
|
|
||||||
|
|
||||||
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
|
||||||
indices should be shown for each entry
|
|
||||||
|
|
||||||
* `-name=<string>` - The policies name.
|
|
||||||
|
|
||||||
* `-no-merge` - Do not merge the current policy information with what is provided
|
|
||||||
to the command. Instead overwrite all fields with the exception of
|
|
||||||
the policy ID which is immutable.
|
|
||||||
|
|
||||||
* `-rules=<string>` - The policy rules. May be prefixed with `@` to indicate that
|
|
||||||
the value is a file path to load the rules from. `-` may also be given to
|
|
||||||
indicate that the rules are available on stdin.
|
|
||||||
|
|
||||||
* `-valid-datacenter=<value>` - Datacenter that the policy should be valid within.
|
|
||||||
This flag may be specified multiple times.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Update a policy:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy update -id 35b8 -name "replication" -description "Policy capable of replication ACL policies and Intentions" -rules @rules.hcl
|
|
||||||
Policy updated successfully
|
|
||||||
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
|
||||||
Name: replication
|
|
||||||
Description: Policy capable of replication ACL policies and Intentions
|
|
||||||
Datacenters:
|
|
||||||
Rules:
|
|
||||||
acl = "read"
|
|
||||||
|
|
||||||
service_prefix "" {
|
|
||||||
policy = "read"
|
|
||||||
intentions = "read"
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Rename a policy:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy update -id 35b8 -name "dc1-replication"
|
|
||||||
Policy updated successfully
|
|
||||||
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
|
||||||
Name: dc1-replication
|
|
||||||
Description: Policy capable of replication ACL policies and Intentions
|
|
||||||
Datacenters: dc1
|
|
||||||
Rules:
|
|
||||||
acl = "read"
|
|
||||||
|
|
||||||
service_prefix "" {
|
|
||||||
policy = "read"
|
|
||||||
intentions = "read"
|
|
||||||
}
|
|
||||||
|
|
||||||
```
|
|
||||||
|
|
||||||
## `delete`
|
|
||||||
|
|
||||||
Command: `consul acl policy delete`
|
|
||||||
|
|
||||||
This command deletes a policy. Policies may be deleted by their ID or by name.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl policy delete [options]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-id=<string>` - The ID of the policy to delete. It may be specified as a
|
|
||||||
unique ID prefix but will error if the prefix matches multiple policy IDs.
|
|
||||||
|
|
||||||
* `-name=<string>` - The Name of the policy to delete.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Delete a policy:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy delete -id 35b8
|
|
||||||
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
|
|
||||||
```
|
|
||||||
|
|
||||||
Delete a policy by name:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy delete -name acl-replication
|
|
||||||
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
|
|
||||||
```
|
|
||||||
|
|
||||||
## `list`
|
|
||||||
|
|
||||||
Command: `consul acl policy list`
|
|
||||||
|
|
||||||
This command lists all policies. By default it will not show metadata.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl policy list`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-meta` - Indicates that policy metadata such as the content hash and
|
|
||||||
Raft indices should be shown for each entry.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Default listing.
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy list
|
|
||||||
global-management:
|
|
||||||
ID: 00000000-0000-0000-0000-000000000001
|
|
||||||
Description: Builtin Policy that grants unlimited access
|
|
||||||
Datacenters:
|
|
||||||
acl-replication:
|
|
||||||
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
|
||||||
Description: Policy capable of replicating ACL policies
|
|
||||||
Datacenters:
|
|
||||||
```
|
|
||||||
|
|
||||||
Show Metadata.
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl policy list -meta
|
|
||||||
global-management:
|
|
||||||
ID: 00000000-0000-0000-0000-000000000001
|
|
||||||
Description: Builtin Policy that grants unlimited access
|
|
||||||
Datacenters:
|
|
||||||
Hash: b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
|
|
||||||
Create Index: 4
|
|
||||||
Modify Index: 4
|
|
||||||
node-services-read:
|
|
||||||
ID: 06acc965-df4b-5a99-58cb-3250930c6324
|
|
||||||
Description: Can read any node and service
|
|
||||||
Datacenters:
|
|
||||||
Hash: 19d2a73dcd315506af73bfff1492779a0dc0235066fcac07f432fb2cc3402133
|
|
||||||
Create Index: 244
|
|
||||||
Modify Index: 244
|
|
||||||
acl-replication:
|
|
||||||
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
|
|
||||||
Description: Token capable of replicating ACL policies
|
|
||||||
Datacenters: dc1, dc2
|
|
||||||
Hash: b94669679cc24e0d064412e4aa90b470b7f900a8e0801f65feaf1f7d716a5390
|
|
||||||
Create Index: 198
|
|
||||||
Modify Index: 198
|
|
||||||
```
|
|
|
@ -1,363 +0,0 @@
|
||||||
---
|
|
||||||
layout: "docs"
|
|
||||||
page_title: "Commands: ACL Token Management"
|
|
||||||
sidebar_current: "docs-commands-acl-token"
|
|
||||||
---
|
|
||||||
|
|
||||||
# Consul ACL Tokens
|
|
||||||
|
|
||||||
Command: `consul acl token`
|
|
||||||
|
|
||||||
The `acl token` command is used to manage Consul's ACL tokens. There are
|
|
||||||
subcommands for the individual operations that can be performed.
|
|
||||||
|
|
||||||
* [`create`](#create)
|
|
||||||
* [`clone`](#clone)
|
|
||||||
* [`read`](#read)
|
|
||||||
* [`update`](#update)
|
|
||||||
* [`delete`](#delete)
|
|
||||||
* [`list`](#list)
|
|
||||||
|
|
||||||
ACL tokens are also accessible via the [HTTP API](/api/acl/acl.html).
|
|
||||||
|
|
||||||
Usage: `consul acl token <subcommand> [options] [args]`
|
|
||||||
|
|
||||||
-> **Note:** All of the examples show for the subcommands will require a valid Consul token with the appropriate permissions.
|
|
||||||
Either set the `CONSUL_HTTP_TOKEN` environment variable to the tokens secret ID or pass the secret ID as the value of the `-token`
|
|
||||||
parameter.
|
|
||||||
|
|
||||||
## Identifying Tokens
|
|
||||||
|
|
||||||
In several of the subcommands a token will have to be identified to be read, modified or deleted. Those subcommands support
|
|
||||||
specifying the token by its ID using the `-id` parameter. The ID may be specified as a unique UUID prefix instead of the entire
|
|
||||||
UUID. As long as it is unique it will be resolve to the full UUID and used. Additionally builtin token names will be accepted as
|
|
||||||
the value of the `-id`.
|
|
||||||
|
|
||||||
Builtin Tokens:
|
|
||||||
|
|
||||||
| Token UUID | Token Name |
|
|
||||||
| ------------------------------------ | ----------------- |
|
|
||||||
| 00000000-0000-0000-0000-000000000002 | anonymous |
|
|
||||||
|
|
||||||
## Common Subcommand Options
|
|
||||||
|
|
||||||
All of the `consul acl token` subcommands support the following options:
|
|
||||||
|
|
||||||
<%= partial "docs/commands/http_api_options_client" %>
|
|
||||||
<%= partial "docs/commands/http_api_options_server" %>
|
|
||||||
|
|
||||||
## `create`
|
|
||||||
|
|
||||||
Command: `consul acl token create`
|
|
||||||
|
|
||||||
This command creates new tokens. When creating a new token, policies may be linked using
|
|
||||||
either the `-policy-id` or the `-policy-name options. When specifying policies by IDs you
|
|
||||||
may use a unique prefix of the UUID as a shortcut for specifying the entire UUID.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-accessor=<string>` - Create the token with this Accessor ID. It must be a UUID. If not
|
|
||||||
specified one will be auto-generated
|
|
||||||
|
|
||||||
* `-description=<string>` - A description of the token.
|
|
||||||
|
|
||||||
* `-local` - Create this as a datacenter local token.
|
|
||||||
|
|
||||||
* `-policy-id=<value>` - ID of a policy to use for this token. May be specified multiple times.
|
|
||||||
|
|
||||||
* `-policy-name=<value>` - Name of a policy to use for this token. May be specified multiple times.
|
|
||||||
|
|
||||||
* `-meta` - Indicates that token metadata such as the content hash and raft indices should be shown
|
|
||||||
for each entry.
|
|
||||||
|
|
||||||
* `-secret=<string>` - Create the token with this Secret ID. It must be a UUID. If not
|
|
||||||
specified one will be auto-generated.
|
|
||||||
**Note**: The SecretID is used to authorize operations against Consul and should
|
|
||||||
be generated from an appropriate cryptographic source.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Create a new token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965
|
|
||||||
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
|
||||||
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
|
||||||
Description: Read Nodes and Services
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
```
|
|
||||||
|
|
||||||
Create a new local token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
|
|
||||||
AccessorID: 4fdf0ec8-d251-3865-079c-7247c974fc50
|
|
||||||
SecretID: 02143514-abf2-6c23-0aa1-ec2107e68f6b
|
|
||||||
Description: Read Nodes and Services
|
|
||||||
Local: true
|
|
||||||
Create Time: 2018-10-22 15:34:19.330265 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
```
|
|
||||||
|
|
||||||
Create a new policy and link with policies by name:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token create -description "Super User" -policy-name global-management
|
|
||||||
AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa
|
|
||||||
SecretID: ada7f751-f654-8872-7f93-498e799158b6
|
|
||||||
Description: Super User
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 15:35:28.787003 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
00000000-0000-0000-0000-000000000001 - global-management
|
|
||||||
```
|
|
||||||
|
|
||||||
## `clone`
|
|
||||||
|
|
||||||
Command: `consul acl token clone`
|
|
||||||
|
|
||||||
This command clones an existing token.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl token clone [options]
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-description=<string>` - A description of the new cloned token.
|
|
||||||
|
|
||||||
* `-id=<string>` - The Accessor ID of the token to clone. It may be specified
|
|
||||||
as a unique ID prefix but will error if the prefix matches multiple token
|
|
||||||
Accessor IDs. The special value of 'anonymous' may be provided instead of
|
|
||||||
the anonymous tokens accessor ID
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Clone a token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token clone -id 59f8 -description "Clone of Super User"
|
|
||||||
Token cloned successfully.
|
|
||||||
AccessorID: dcfa52ed-9288-b3ff-056d-255ef69d2d88
|
|
||||||
SecretID: 0005d17e-5bb2-7e8b-7bfa-15f2eee9ad14
|
|
||||||
Description: Clone of Super User
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 16:26:02.909096 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
00000000-0000-0000-0000-000000000001 - global-management
|
|
||||||
```
|
|
||||||
|
|
||||||
## `read`
|
|
||||||
|
|
||||||
Command: `consul acl token read`
|
|
||||||
|
|
||||||
This command reads and displays a token details.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl token read [options] [args]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-id=<string>` - The ID of the policy to read. It may be specified as a unique ID
|
|
||||||
prefix but will error if the prefix matches multiple policy IDs.
|
|
||||||
|
|
||||||
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
|
||||||
indices should be shown for each entry.
|
|
||||||
|
|
||||||
* `-self` - Indicates that the current HTTP token should be read by secret ID
|
|
||||||
instead of expecting a -id option.
|
|
||||||
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Get token details:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token read -id 986
|
|
||||||
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
|
||||||
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
|
||||||
Description: Read Nodes and Services
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
```
|
|
||||||
|
|
||||||
Get token details using the token secret ID:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$consul acl token read -self
|
|
||||||
AccessorID: 4d123dff-f460-73c3-02c4-8dd64d136e01
|
|
||||||
SecretID: 86cddfb9-2760-d947-358d-a2811156bf31
|
|
||||||
Description: Bootstrap Token (Global Management)
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 11:27:04.479026 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
00000000-0000-0000-0000-000000000001 - global-management
|
|
||||||
```
|
|
||||||
|
|
||||||
Get token details (Builtin Tokens)
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token read -id anonymous
|
|
||||||
AccessorID: 00000000-0000-0000-0000-000000000002
|
|
||||||
SecretID: anonymous
|
|
||||||
Description: Anonymous Token
|
|
||||||
Local: false
|
|
||||||
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
|
||||||
Policies:
|
|
||||||
```
|
|
||||||
|
|
||||||
## `update`
|
|
||||||
|
|
||||||
Command: `consul acl token update`
|
|
||||||
|
|
||||||
This command will update a token. Some parts of the token like whether the
|
|
||||||
token is local to the datacenter cannot be changed.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl token update [options]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-description=<string>` - A description of the token
|
|
||||||
|
|
||||||
* `-id=<string>` - The Accessor ID of the token to read. It may be specified as a
|
|
||||||
unique ID prefix but will error if the prefix matches multiple token Accessor IDs
|
|
||||||
|
|
||||||
* `-merge-policies` - Merge the new policies with the existing policies
|
|
||||||
|
|
||||||
* `-meta` - Indicates that token metadata such as the content hash and Raft indices should be
|
|
||||||
shown for each entry.
|
|
||||||
|
|
||||||
* `-policy-id=<value>` - ID of a policy to use for this token. May be specified multiple times.
|
|
||||||
|
|
||||||
* `-policy-name=<value>` - Name of a policy to use for this token. May be specified multiple times.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Update the anonymous token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token update -id anonymous -policy-id 06acc
|
|
||||||
Token updated successfully.
|
|
||||||
AccessorID: 00000000-0000-0000-0000-000000000002
|
|
||||||
SecretID: anonymous
|
|
||||||
Description: Anonymous Token
|
|
||||||
Local: false
|
|
||||||
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
```
|
|
||||||
|
|
||||||
Update a token description and take the policies from the existing token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token update -id 986193 -description "WonderToken" -merge-policies
|
|
||||||
Token updated successfully.
|
|
||||||
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
|
||||||
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
|
||||||
Description: WonderToken
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
```
|
|
||||||
|
|
||||||
## `delete`
|
|
||||||
|
|
||||||
Command: `consul acl token delete`
|
|
||||||
|
|
||||||
This command deletes a token.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl token delete [options]`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-id=<string>` - The ID of the token to delete. It may be specified as a
|
|
||||||
unique ID prefix but will error if the prefix matches multiple token IDs.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Delete a token:
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token delete -id 35b8
|
|
||||||
Token "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
|
|
||||||
```
|
|
||||||
|
|
||||||
## `list`
|
|
||||||
|
|
||||||
Command: `consul acl token list`
|
|
||||||
|
|
||||||
This command lists all tokens. By default it will not show metadata.
|
|
||||||
|
|
||||||
### Usage
|
|
||||||
|
|
||||||
Usage: `consul acl token list`
|
|
||||||
|
|
||||||
#### Options
|
|
||||||
|
|
||||||
* [Common Subcommand Options](#common-subcommand-options)
|
|
||||||
|
|
||||||
* `-meta` - Indicates that token metadata such as the content hash and
|
|
||||||
Raft indices should be shown for each entry.
|
|
||||||
|
|
||||||
### Examples
|
|
||||||
|
|
||||||
Default listing.
|
|
||||||
|
|
||||||
```sh
|
|
||||||
$ consul acl token list
|
|
||||||
AccessorID: 4d123dff-f460-73c3-02c4-8dd64d136e01
|
|
||||||
Description: Bootstrap Token (Global Management)
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 11:27:04.479026 -0400 EDT
|
|
||||||
Legacy: false
|
|
||||||
Policies:
|
|
||||||
00000000-0000-0000-0000-000000000001 - global-management
|
|
||||||
|
|
||||||
AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa
|
|
||||||
Description: Super User
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 15:35:28.787003 -0400 EDT
|
|
||||||
Legacy: false
|
|
||||||
Policies:
|
|
||||||
00000000-0000-0000-0000-000000000001 - global-management
|
|
||||||
|
|
||||||
AccessorID: 00000000-0000-0000-0000-000000000002
|
|
||||||
Description: Anonymous Token
|
|
||||||
Local: false
|
|
||||||
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
|
||||||
Legacy: false
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
|
|
||||||
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
|
||||||
Description: WonderToken
|
|
||||||
Local: false
|
|
||||||
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
|
||||||
Legacy: false
|
|
||||||
Policies:
|
|
||||||
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
|
||||||
```
|
|
|
@ -0,0 +1,84 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Auth Methods"
|
||||||
|
sidebar_current: "docs-commands-acl-auth-method"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Auth Methods
|
||||||
|
|
||||||
|
Command: `consul acl auth-method`
|
||||||
|
|
||||||
|
The `acl auth-method` command is used to manage Consul's ACL auth methods.
|
||||||
|
It exposes commands for creating, updating, reading, deleting, and listing auth methods.
|
||||||
|
This command is available in Consul 1.5.0 and newer.
|
||||||
|
|
||||||
|
ACL auth methods may also be managed via the [HTTP API](/api/acl/auth-methods.html).
|
||||||
|
|
||||||
|
-> **Note:** All of the example subcommands in this document will require a valid
|
||||||
|
Consul token with the appropriate permissions. Either set the
|
||||||
|
`CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the
|
||||||
|
secret ID as the value of the `-token` parameter.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl auth-method <subcommand>`
|
||||||
|
|
||||||
|
For the exact documentation for your Consul version, run `consul acl
|
||||||
|
auth-method -h` to view the complete list of subcommands.
|
||||||
|
|
||||||
|
```text
|
||||||
|
Usage: consul acl auth-method <subcommand> [options] [args]
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Subcommands:
|
||||||
|
create Create an ACL auth method
|
||||||
|
delete Delete an ACL auth method
|
||||||
|
list Lists ACL auth methods
|
||||||
|
read Read an ACL auth method
|
||||||
|
update Update an ACL auth method
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information, examples, and usage about a subcommand, click on the name
|
||||||
|
of the subcommand in the sidebar.
|
||||||
|
|
||||||
|
## Basic Examples
|
||||||
|
|
||||||
|
Create a new auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method create -type "kubernetes" \
|
||||||
|
-name "my-k8s" \
|
||||||
|
-description "This is an example kube auth method" \
|
||||||
|
-kubernetes-host "https://apiserver.example.com:8443" \
|
||||||
|
-kubernetes-ca-file /path/to/kube.ca.crt \
|
||||||
|
-kubernetes-service-account-jwt "JWT_CONTENTS"
|
||||||
|
```
|
||||||
|
|
||||||
|
List all auth methods:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method list
|
||||||
|
```
|
||||||
|
|
||||||
|
Update all editable fields of the auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method update -name "my-k8s" \
|
||||||
|
-description "new description" \
|
||||||
|
-kubernetes-host "https://new-apiserver.example.com:8443" \
|
||||||
|
-kubernetes-ca-file /path/to/new-kube.ca.crt \
|
||||||
|
-kubernetes-service-account-jwt "NEW_JWT_CONTENTS"
|
||||||
|
```
|
||||||
|
|
||||||
|
Read an auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method read -name my-k8s
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete an auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method delete -name my-k8s
|
||||||
|
```
|
|
@ -0,0 +1,64 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Auth Method Create"
|
||||||
|
sidebar_current: "docs-commands-acl-auth-method-create"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Auth Method Create
|
||||||
|
|
||||||
|
Command: `consul acl auth-method create`
|
||||||
|
|
||||||
|
The `acl auth-method create` command creates new auth methods.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl auth-method create [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the auth method.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that auth method metadata such as the raft indices should
|
||||||
|
be shown for each entry.
|
||||||
|
|
||||||
|
* `-name=<string>` - The new auth method's name. This flag is required.
|
||||||
|
|
||||||
|
* `-type=<string>` - The new auth method's type. This flag is required.
|
||||||
|
|
||||||
|
* `-kubernetes-ca-cert=<string>` - PEM encoded CA cert for use by the TLS
|
||||||
|
client used to talk with the Kubernetes API. May be prefixed with '@' to
|
||||||
|
indicate that the value is a file path to load the cert from. This flag is
|
||||||
|
required for `-type=kubernetes`.
|
||||||
|
|
||||||
|
* `-kubernetes-host=<string>` - Address of the Kubernetes API server. This flag
|
||||||
|
is required for `-type=kubernetes`.
|
||||||
|
|
||||||
|
* `-kubernetes-service-account-jwt=<string>` - A Kubernetes service account JWT
|
||||||
|
used to access the TokenReview API to validate other JWTs during login. This
|
||||||
|
flag is required for `-type=kubernetes`.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Create a new Kubernetes auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method create -name minikube -type kubernetes \
|
||||||
|
-description 'minikube auth method' \
|
||||||
|
-kubernetes-host 'https://192.0.2.42:8443' \
|
||||||
|
-kubernetes-ca-cert '@minikube-ca.crt' \
|
||||||
|
-kubernetes-service-account-jwt 'eyJhbGciOiJSUzI1NiIsImtpZCI...'
|
||||||
|
Name: minikube
|
||||||
|
Type: kubernetes
|
||||||
|
Description: minikube auth method
|
||||||
|
Config:
|
||||||
|
{
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI..."
|
||||||
|
}
|
||||||
|
```
|
|
@ -0,0 +1,33 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Auth Method Delete"
|
||||||
|
sidebar_current: "docs-commands-acl-auth-method-delete"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Auth Method Delete
|
||||||
|
|
||||||
|
Command: `consul acl auth-method delete`
|
||||||
|
|
||||||
|
The `acl auth-method delete` command deletes an auth method.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl auth-method delete [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-name=<string>` - The Name of the auth method to delete.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Delete an auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method delete -name minikube
|
||||||
|
Auth-method "minikube" deleted successfully
|
||||||
|
```
|
|
@ -0,0 +1,55 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Auth Method List"
|
||||||
|
sidebar_current: "docs-commands-acl-auth-method-list"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Auth Method List
|
||||||
|
|
||||||
|
Command: `consul acl auth-method list`
|
||||||
|
|
||||||
|
The `acl auth-method list`s command lists all auth methods. By default it will not show metadata.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl auth-method list`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-meta` - Indicates that auth method metadata such as the raft indices should
|
||||||
|
be shown for each entry.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Default listing.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method list
|
||||||
|
minikube:
|
||||||
|
Type: kubernetes
|
||||||
|
Description: minikube auth method
|
||||||
|
minikube-two:
|
||||||
|
Type: kubernetes
|
||||||
|
Description: dev cluster
|
||||||
|
```
|
||||||
|
|
||||||
|
Show Metadata.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method list -meta
|
||||||
|
minikube:
|
||||||
|
Type: kubernetes
|
||||||
|
Description: minikube auth method
|
||||||
|
Create Index: 443
|
||||||
|
Modify Index: 443
|
||||||
|
minikube-two:
|
||||||
|
Type: kubernetes
|
||||||
|
Description: dev cluster
|
||||||
|
Create Index: 445
|
||||||
|
Modify Index: 445
|
||||||
|
```
|
|
@ -0,0 +1,44 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Auth Method Read"
|
||||||
|
sidebar_current: "docs-commands-acl-auth-method-read"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Auth Method Read
|
||||||
|
|
||||||
|
Command: `consul acl auth-method read`
|
||||||
|
|
||||||
|
The `acl auth-method read` command reads and displays an auth method's details.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl auth-method read [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-meta` - Indicates that auth method metadata such as the raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-name=<string>` - The name of the auth method to read.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Get auth method details:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method read -name minikube
|
||||||
|
Name: minikube
|
||||||
|
Type: kubernetes
|
||||||
|
Description: minikube auth method
|
||||||
|
Config:
|
||||||
|
{
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"Host": "https://192.0.2.42:8443",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI..."
|
||||||
|
}
|
||||||
|
```
|
|
@ -0,0 +1,67 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Auth Method Update"
|
||||||
|
sidebar_current: "docs-commands-acl-auth-method-update"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Auth Method Update
|
||||||
|
|
||||||
|
Command: `consul acl auth-method update`
|
||||||
|
|
||||||
|
The `acl auth-method update` command is used to update an auth method. The
|
||||||
|
default operations is to merge the current auth method with those values
|
||||||
|
provided to the command invocation. Therefore to update just one field, only
|
||||||
|
the `-name` options and the option to modify must be provided.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl auth-method update [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the auth method.
|
||||||
|
|
||||||
|
* `-kubernetes-ca-cert=<string>` - PEM encoded CA cert for use by the TLS
|
||||||
|
client used to talk with the Kubernetes API. May be prefixed with '@' to
|
||||||
|
indicate that the value is a file path to load the cert from. This flag is
|
||||||
|
required for `-type=kubernetes`.
|
||||||
|
|
||||||
|
* `-kubernetes-host=<string>` - Address of the Kubernetes API server. This flag
|
||||||
|
is required for `-type=kubernetes`.
|
||||||
|
|
||||||
|
* `-kubernetes-service-account-jwt=<string>` - A Kubernetes service account JWT
|
||||||
|
used to access the TokenReview API to validate other JWTs during login. This
|
||||||
|
flag is required for `-type=kubernetes`.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that auth method metadata such as the raft
|
||||||
|
indices should be shown for each entry
|
||||||
|
|
||||||
|
* `-name=<string>` - The name of the auth method to update.
|
||||||
|
|
||||||
|
* `-no-merge` - Do not merge the current auth method information with what is provided
|
||||||
|
to the command. Instead overwrite all fields with the exception of the auth method
|
||||||
|
ID which is immutable.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Update an auth method:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl auth-method update -name minikube \
|
||||||
|
-description 'dev cluster' \
|
||||||
|
-kubernetes-host 'https://192.0.2.44:8443'
|
||||||
|
Name: minikube
|
||||||
|
Type: kubernetes
|
||||||
|
Description: dev cluster
|
||||||
|
Config:
|
||||||
|
{
|
||||||
|
"CACert": "-----BEGIN CERTIFICATE-----\n...-----END CERTIFICATE-----\n",
|
||||||
|
"Host": "https://192.0.2.44:8443",
|
||||||
|
"ServiceAccountJWT": "eyJhbGciOiJSUzI1NiIsImtpZCI..."
|
||||||
|
}
|
||||||
|
```
|
|
@ -0,0 +1,91 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Binding Rule"
|
||||||
|
sidebar_current: "docs-commands-acl-binding-rule"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Binding Rules
|
||||||
|
|
||||||
|
Command: `consul acl binding-rule`
|
||||||
|
|
||||||
|
The `acl binding-rule` command is used to manage Consul's ACL binding rules.
|
||||||
|
It exposes commands for creating, updating, reading, deleting, and listing binding rules.
|
||||||
|
This command is available in Consul 1.5.0 and newer.
|
||||||
|
|
||||||
|
ACL binding rules may also be managed via the [HTTP API](/api/acl/binding-rules.html).
|
||||||
|
|
||||||
|
-> **Note:** All of the example subcommands in this document will require a valid
|
||||||
|
Consul token with the appropriate permissions. Either set the
|
||||||
|
`CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the
|
||||||
|
secret ID as the value of the `-token` parameter.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl binding-rule <subcommand>`
|
||||||
|
|
||||||
|
For the exact documentation for your Consul version, run `consul acl
|
||||||
|
binding-rule -h` to view the complete list of subcommands.
|
||||||
|
|
||||||
|
```text
|
||||||
|
Usage: consul acl binding-rule <subcommand> [options] [args]
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Subcommands:
|
||||||
|
create Create an ACL binding rule
|
||||||
|
delete Delete an ACL binding rule
|
||||||
|
list Lists ACL binding rules
|
||||||
|
read Read an ACL binding rule
|
||||||
|
update Update an ACL binding rule
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information, examples, and usage about a subcommand, click on the name
|
||||||
|
of the subcommand in the sidebar.
|
||||||
|
|
||||||
|
## Identifying Binding Rules
|
||||||
|
|
||||||
|
Several of the subcommands need to operate on a specific binding rule. Those
|
||||||
|
subcommands support specifying the binding rule by its ID using the `-id`
|
||||||
|
parameter.
|
||||||
|
|
||||||
|
When specifying the binding rule by its ID a unique binding rule ID prefix may
|
||||||
|
be specified instead of the entire UUID. As long as it is unique it will be
|
||||||
|
resolved to the full UUID and used.
|
||||||
|
|
||||||
|
## Basic Examples
|
||||||
|
|
||||||
|
Create a new binding rule:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule create \
|
||||||
|
-method=minikube \
|
||||||
|
-bind-type=service \
|
||||||
|
-bind-name='k8s-${serviceaccount.name}' \
|
||||||
|
-selector='serviceaccount.namespace==default and serviceaccount.name==web'
|
||||||
|
```
|
||||||
|
|
||||||
|
List all binding rules:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule list
|
||||||
|
```
|
||||||
|
|
||||||
|
Update a binding rule:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule update -id=43cb72df-9c6f-4315-ac8a-01a9d98155ef \
|
||||||
|
-bind-name='k8s-${serviceaccount.name}'
|
||||||
|
```
|
||||||
|
|
||||||
|
Read a binding rule:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule read -id fdabbcb5-9de5-4b1a-961f-77214ae88cba
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete a binding rule:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule delete -id b6b856da-5193-4e78-845a-7d61ca8371ba
|
||||||
|
```
|
||||||
|
|
|
@ -0,0 +1,72 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Binding Rule Create"
|
||||||
|
sidebar_current: "docs-commands-acl-binding-rule-create"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Binding Rule Create
|
||||||
|
|
||||||
|
Command: `consul acl binding-rule create`
|
||||||
|
|
||||||
|
The `acl binding-rule create` command creates new binding rules.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl binding-rule create [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-bind-name=<string>` - Name to bind on match. Can use `${var}`
|
||||||
|
interpolation. This flag is required.
|
||||||
|
|
||||||
|
* `-bind-type=<string>` - Type of binding to perform (`"service"` or `"role"`).
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the binding rule.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that binding rule metadata such as the raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-method=<string>` - The auth method's name for which this binding rule
|
||||||
|
applies. This flag is required.
|
||||||
|
|
||||||
|
* `-selector=<string>` - Selector is an expression that matches against
|
||||||
|
verified identity attributes returned from the auth method during login.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Create a new binding rule that binds to a service identity:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule create -method 'minikube' \
|
||||||
|
-description 'wildcard service' \
|
||||||
|
-bind-type 'service' \
|
||||||
|
-bind-name 'k8s-${serviceaccount.name}' \
|
||||||
|
-selector 'serviceaccount.namespace==default and serviceaccount.name!=vault'
|
||||||
|
ID: 0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: wildcard service
|
||||||
|
BindType: service
|
||||||
|
BindName: k8s-${serviceaccount.name}
|
||||||
|
Selector: serviceaccount.namespace==default and serviceaccount.name!=vault
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new binding rule that binds to a role:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule create -method 'minikube' \
|
||||||
|
-description 'just vault role' \
|
||||||
|
-bind-type 'role' \
|
||||||
|
-bind-name 'vault' \
|
||||||
|
-selector 'serviceaccount.namespace==default and serviceaccount.name==vault'
|
||||||
|
ID: e21ae868-7b13-a230-0235-f8e83510642c
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: just vault role
|
||||||
|
BindType: role
|
||||||
|
BindName: vault
|
||||||
|
Selector: serviceaccount.namespace==default and serviceaccount.name==vault
|
||||||
|
```
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Binding Rule Delete"
|
||||||
|
sidebar_current: "docs-commands-acl-binding-rule-delete"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Binding Rule Delete
|
||||||
|
|
||||||
|
Command: `consul acl binding-rule delete`
|
||||||
|
|
||||||
|
The `acl binding-rule delete` command deletes a binding rule.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl binding-rule delete [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the binding rule to delete. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple binding rule IDs.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Delete a binding rule:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule delete -id 0ec1bd
|
||||||
|
Binding rule "0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890" deleted successfully
|
||||||
|
```
|
|
@ -0,0 +1,67 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Binding Rule List"
|
||||||
|
sidebar_current: "docs-commands-acl-binding-rule-list"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Binding Rule List
|
||||||
|
|
||||||
|
Command: `consul acl binding-rule list`
|
||||||
|
|
||||||
|
The `acl binding-rule list` command lists all binding rules. By default it will not show metadata.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl binding-rule list`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-meta` - Indicates that binding rule metadata such as the raft indices
|
||||||
|
should be shown for each entry.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Default listing.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule list
|
||||||
|
0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890:
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: wildcard service
|
||||||
|
BindType: service
|
||||||
|
BindName: k8s-${serviceaccount.name}
|
||||||
|
Selector: serviceaccount.namespace==default
|
||||||
|
e21ae868-7b13-a230-0235-f8e83510642c:
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: just vault role
|
||||||
|
BindType: role
|
||||||
|
BindName: vault
|
||||||
|
Selector: serviceaccount.namespace==default and serviceaccount.name==vault
|
||||||
|
```
|
||||||
|
|
||||||
|
Show Metadata.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule list -meta
|
||||||
|
0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890:
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: wildcard service
|
||||||
|
BindType: service
|
||||||
|
BindName: k8s-${serviceaccount.name}
|
||||||
|
Selector: serviceaccount.namespace==default
|
||||||
|
Create Index: 558
|
||||||
|
Modify Index: 583
|
||||||
|
e21ae868-7b13-a230-0235-f8e83510642c:
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: just vault role
|
||||||
|
BindType: role
|
||||||
|
BindName: vault
|
||||||
|
Selector: serviceaccount.namespace==default and serviceaccount.name==vault
|
||||||
|
Create Index: 593
|
||||||
|
Modify Index: 593
|
||||||
|
```
|
|
@ -0,0 +1,42 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Binding Rule Read"
|
||||||
|
sidebar_current: "docs-commands-acl-binding-rule-read"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Binding Rule Read
|
||||||
|
|
||||||
|
Command: `consul acl binding-rule read`
|
||||||
|
|
||||||
|
The `acl binding-rule read` command reads and displays a binding rules details.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl binding-rule read [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the binding rule to read. It may be specified as a unique ID
|
||||||
|
prefix but will error if the prefix matches multiple binding rule IDs.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that binding rule metadata such as the raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Get binding rule details:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule read -id '0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890'
|
||||||
|
ID: 0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: wildcard service
|
||||||
|
BindType: service
|
||||||
|
BindName: k8s-${serviceaccount.name}
|
||||||
|
Selector: serviceaccount.namespace==default and serviceaccount.name!=vault
|
||||||
|
```
|
|
@ -0,0 +1,61 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Binding Rule Update"
|
||||||
|
sidebar_current: "docs-commands-acl-binding-rule-update"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Binding Rule Update
|
||||||
|
|
||||||
|
Command: `consul acl binding-rule update`
|
||||||
|
|
||||||
|
The `acl binding-rule update` command is used to update a binding rule. The
|
||||||
|
default operations is to merge the current binding rule with those values
|
||||||
|
provided to the command invocation. Therefore to update just one field, only
|
||||||
|
the `-id` option and the option to modify must be provided.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl binding-rule update [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-bind-name=<string>` - Name to bind on match. Can use `${var}`
|
||||||
|
interpolation. This flag is required.
|
||||||
|
|
||||||
|
* `-bind-type=<string>` - Type of binding to perform (`"service"` or `"role"`).
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the binding rule.
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the binding rule to update. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple binding rule IDs
|
||||||
|
|
||||||
|
* `-meta` - Indicates that binding rule metadata such as the raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-no-merge` - Do not merge the current binding rule information with what is
|
||||||
|
provided to the command. Instead overwrite all fields with the exception of the
|
||||||
|
binding rule ID which is immutable.
|
||||||
|
|
||||||
|
* `-selector=<string>` - Selector is an expression that matches against
|
||||||
|
verified identity attributes returned from the auth method during login.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Update a binding rule:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl binding-rule update -id '0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890' \
|
||||||
|
-selector 'serviceaccount.namespace==default'
|
||||||
|
Binding rule updated successfully
|
||||||
|
ID: 0ec1bd2f-1d3b-bafb-d9bf-90ef04ab1890
|
||||||
|
AuthMethod: minikube
|
||||||
|
Description: wildcard service
|
||||||
|
BindType: service
|
||||||
|
BindName: k8s-${serviceaccount.name}
|
||||||
|
Selector: serviceaccount.namespace==default
|
||||||
|
```
|
|
@ -0,0 +1,97 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Policy"
|
||||||
|
sidebar_current: "docs-commands-acl-policy"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Policies
|
||||||
|
|
||||||
|
Command: `consul acl policy`
|
||||||
|
|
||||||
|
The `acl policy` command is used to manage Consul's ACL policies.
|
||||||
|
It exposes commands for creating, updating, reading, deleting, and listing policies.
|
||||||
|
This command is available in Consul 1.4.0 and newer.
|
||||||
|
|
||||||
|
ACL policies may also be managed via the [HTTP API](/api/acl/policies.html).
|
||||||
|
|
||||||
|
-> **Note:** All of the example subcommands in this document will require a valid
|
||||||
|
Consul token with the appropriate permissions. Either set the
|
||||||
|
`CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the
|
||||||
|
secret ID as the value of the `-token` parameter.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl policy <subcommand>`
|
||||||
|
|
||||||
|
For the exact documentation for your Consul version, run `consul acl
|
||||||
|
policy -h` to view the complete list of subcommands.
|
||||||
|
|
||||||
|
```text
|
||||||
|
Usage: consul acl policy <subcommand> [options] [args]
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Subcommands:
|
||||||
|
create Create an ACL policy
|
||||||
|
delete Delete an ACL policy
|
||||||
|
list Lists ACL policies
|
||||||
|
read Read an ACL policy
|
||||||
|
update Update an ACL policy
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information, examples, and usage about a subcommand, click on the name
|
||||||
|
of the subcommand in the sidebar.
|
||||||
|
|
||||||
|
## Identifying Policies
|
||||||
|
|
||||||
|
Several of the subcommands need to operate on a specific policy. Those
|
||||||
|
subcommands support specifying the policy by its ID using the `-id` parameter
|
||||||
|
or by name using the `-name` parameter.
|
||||||
|
|
||||||
|
When specifying the policy by its ID a unique policy ID prefix may be specified
|
||||||
|
instead of the entire UUID. As long as it is unique it will be resolved to the
|
||||||
|
full UUID and used. Additionally builtin policy names will be accepted as the
|
||||||
|
value to the `-id` parameter. Even if the builtin policies are renamed their
|
||||||
|
original name can be used to operate on them.
|
||||||
|
|
||||||
|
Builtin policies:
|
||||||
|
|
||||||
|
| Policy UUID | Policy Name |
|
||||||
|
| ------------------------------------ | ----------------- |
|
||||||
|
| 00000000-0000-0000-0000-000000000001 | global-management |
|
||||||
|
|
||||||
|
## Basic Examples
|
||||||
|
|
||||||
|
Create a new ACL policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy create -name "new-policy" \
|
||||||
|
-description "This is an example policy" \
|
||||||
|
-datacenter "dc1" \
|
||||||
|
-datacenter "dc2" \
|
||||||
|
-rules @rules.hcl
|
||||||
|
```
|
||||||
|
|
||||||
|
List all policies:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy list
|
||||||
|
```
|
||||||
|
|
||||||
|
Update a policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy update -name "other-policy" -datacenter "dc1"
|
||||||
|
```
|
||||||
|
|
||||||
|
Read a policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy read -id 0479e93e-091c-4475-9b06-79a004765c24
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete a policy
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy delete -name "my-policy"
|
||||||
|
```
|
|
@ -0,0 +1,104 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Policy Create"
|
||||||
|
sidebar_current: "docs-commands-acl-policy-create"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Policy Create
|
||||||
|
|
||||||
|
Command: `consul acl policy create`
|
||||||
|
|
||||||
|
The `acl policy create` command creates new policies. The policies rules can either be set explicitly or the
|
||||||
|
`-from-token` parameter may be used to load the rules from a legacy ACL token. When loading
|
||||||
|
the rules from an existing legacy ACL token, the rules get translated from the legacy syntax
|
||||||
|
to the new syntax.
|
||||||
|
|
||||||
|
Both the `-rules` and `-from-token` parameter values allow loading the value
|
||||||
|
from stdin, a file or the raw value. To use stdin pass `-` as the value.
|
||||||
|
To load the value from a file prefix the value with an `@`. Any other
|
||||||
|
values will be used directly.
|
||||||
|
|
||||||
|
-> **Deprecated:** The `-from-token` and `-token-secret` arguments exist only as a convenience
|
||||||
|
to make legacy ACL migration easier. These will be removed in a future major release when
|
||||||
|
support for the legacy ACL system is removed.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl policy create [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the policy.
|
||||||
|
|
||||||
|
* `-from-token=<string>` - The legacy token to retrieve the rules for when creating this
|
||||||
|
policy. When this is specified no other rules should be given.
|
||||||
|
Similar to the -rules option the token to use can be loaded from
|
||||||
|
stdin or from a file.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-name=<string>` - The new policy's name. This flag is required.
|
||||||
|
|
||||||
|
* `-rules=<string>` - The policy rules. May be prefixed with '@' to indicate that the
|
||||||
|
value is a file path to load the rules from. '-' may also be given
|
||||||
|
to indicate that the rules are available on stdin.
|
||||||
|
|
||||||
|
* `-token-secret` - Indicates the token provided with -from-token is a SecretID and not
|
||||||
|
an AccessorID.
|
||||||
|
|
||||||
|
* `-valid-datacenter=<value>` - Datacenter that the policy should be valid within.
|
||||||
|
This flag may be specified multiple times.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Create a new policy that is valid in all datacenters:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy create -name "acl-replication" -description "Policy capable of replicating ACL policies" -rules 'acl = "read"'
|
||||||
|
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
||||||
|
Name: acl-replication
|
||||||
|
Description: Policy capable of replicating ACL policies
|
||||||
|
Datacenters:
|
||||||
|
Rules:
|
||||||
|
acl = "read"
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new policy valid only in specific datacenters with rules read from a file:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy create -name "replication" -description "Replication" -rules @rules.hcl -valid-datacenter dc1 -valid-datacenter dc2
|
||||||
|
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
|
||||||
|
Name: replication
|
||||||
|
Description: Replication
|
||||||
|
Datacenters: dc1, dc2
|
||||||
|
Rules:
|
||||||
|
acl = "read"
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
intentions = "read"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new policy with rules equivalent to that of a legacy ACL token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy create -name "node-services-read" -from-token 5793a5ce -description "Can read any node and service"
|
||||||
|
ID: 06acc965-df4b-5a99-58cb-3250930c6324
|
||||||
|
Name: node-services-read
|
||||||
|
Description: Can read any node and service
|
||||||
|
Datacenters:
|
||||||
|
Rules:
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
}
|
||||||
|
```
|
|
@ -0,0 +1,43 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Policy Delete"
|
||||||
|
sidebar_current: "docs-commands-acl-policy-delete"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Policy Delete
|
||||||
|
|
||||||
|
Command: `consul acl policy delete`
|
||||||
|
|
||||||
|
The `acl policy delete` command deletes a policy. Policies may be deleted by their ID or by name.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl policy delete [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the policy to delete. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple policy IDs.
|
||||||
|
|
||||||
|
* `-name=<string>` - The Name of the policy to delete.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Delete a policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy delete -id 35b8
|
||||||
|
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete a policy by name:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy delete -name acl-replication
|
||||||
|
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
|
||||||
|
```
|
|
@ -0,0 +1,68 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Policy List"
|
||||||
|
sidebar_current: "docs-commands-acl-policy-list"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Policy List
|
||||||
|
|
||||||
|
Command: `consul acl policy list`
|
||||||
|
|
||||||
|
The `acl policy list` command lists all policies. By default it will not show metadata.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl policy list`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-meta` - Indicates that policy metadata such as the content hash and
|
||||||
|
Raft indices should be shown for each entry.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Default listing.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy list
|
||||||
|
global-management:
|
||||||
|
ID: 00000000-0000-0000-0000-000000000001
|
||||||
|
Description: Builtin Policy that grants unlimited access
|
||||||
|
Datacenters:
|
||||||
|
acl-replication:
|
||||||
|
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
||||||
|
Description: Policy capable of replicating ACL policies
|
||||||
|
Datacenters:
|
||||||
|
```
|
||||||
|
|
||||||
|
Show Metadata.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy list -meta
|
||||||
|
global-management:
|
||||||
|
ID: 00000000-0000-0000-0000-000000000001
|
||||||
|
Description: Builtin Policy that grants unlimited access
|
||||||
|
Datacenters:
|
||||||
|
Hash: b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
|
||||||
|
Create Index: 4
|
||||||
|
Modify Index: 4
|
||||||
|
node-services-read:
|
||||||
|
ID: 06acc965-df4b-5a99-58cb-3250930c6324
|
||||||
|
Description: Can read any node and service
|
||||||
|
Datacenters:
|
||||||
|
Hash: 19d2a73dcd315506af73bfff1492779a0dc0235066fcac07f432fb2cc3402133
|
||||||
|
Create Index: 244
|
||||||
|
Modify Index: 244
|
||||||
|
acl-replication:
|
||||||
|
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
|
||||||
|
Description: Token capable of replicating ACL policies
|
||||||
|
Datacenters: dc1, dc2
|
||||||
|
Hash: b94669679cc24e0d064412e4aa90b470b7f900a8e0801f65feaf1f7d716a5390
|
||||||
|
Create Index: 198
|
||||||
|
Modify Index: 198
|
||||||
|
```
|
|
@ -0,0 +1,123 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Policy Read"
|
||||||
|
sidebar_current: "docs-commands-acl-policy-read"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Policy Read
|
||||||
|
|
||||||
|
Command: `consul acl policy read`
|
||||||
|
|
||||||
|
The `acl policy read` command reads and displays a policies details.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl policy read [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the policy to read. It may be specified as a unique ID
|
||||||
|
prefix but will error if the prefix matches multiple policy IDs.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-name=<string>` - The name of the policy to read.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Get policy details:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy read -id 00000000-0000-0000-0000-000000000001
|
||||||
|
ID: 00000000-0000-0000-0000-000000000001
|
||||||
|
Name: global-management
|
||||||
|
Description: Builtin Policy that grants unlimited access
|
||||||
|
Datacenters:
|
||||||
|
Rules:
|
||||||
|
|
||||||
|
acl = "write"
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
event_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
key_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
keyring = "write"
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
operator = "write"
|
||||||
|
query_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
intentions = "write"
|
||||||
|
}
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Get policy details by name:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy read -name "acl-replication"
|
||||||
|
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
||||||
|
Name: acl-replication
|
||||||
|
Description: Token capable of replicating ACL policies
|
||||||
|
Datacenters:
|
||||||
|
Rules:
|
||||||
|
acl = "read"
|
||||||
|
```
|
||||||
|
|
||||||
|
Get policy details (Builtin Policies):
|
||||||
|
|
||||||
|
Builtin policies can be accessed by specifying their original name as the value to the `-id` parameter.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy read -id global-management
|
||||||
|
ID: 00000000-0000-0000-0000-000000000001
|
||||||
|
Name: global-management
|
||||||
|
Description: Builtin Policy that grants unlimited access
|
||||||
|
Datacenters:
|
||||||
|
Hash: b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
|
||||||
|
Create Index: 4
|
||||||
|
Modify Index: 4
|
||||||
|
Rules:
|
||||||
|
|
||||||
|
acl = "write"
|
||||||
|
agent_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
event_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
key_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
keyring = "write"
|
||||||
|
node_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
operator = "write"
|
||||||
|
query_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
intentions = "write"
|
||||||
|
}
|
||||||
|
session_prefix "" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
```
|
|
@ -0,0 +1,85 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Policy Update"
|
||||||
|
sidebar_current: "docs-commands-acl-policy-update"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Policy Update
|
||||||
|
|
||||||
|
Command: `consul acl policy update`
|
||||||
|
|
||||||
|
The `acl policy update` command is used to update a policy. The default operations is to merge the current policy
|
||||||
|
with those values provided to the command invocation. Therefore to update just one field, only
|
||||||
|
the `-id` or `-name` options and the option to modify must be provided. Note that renaming
|
||||||
|
policies requires both the `-id` and `-name` as the new name cannot yet be used to lookup the
|
||||||
|
policy.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl policy update [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the policy.
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the policy to update. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple policy IDs
|
||||||
|
|
||||||
|
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry
|
||||||
|
|
||||||
|
* `-name=<string>` - The policy's name.
|
||||||
|
|
||||||
|
* `-no-merge` - Do not merge the current policy information with what is provided
|
||||||
|
to the command. Instead overwrite all fields with the exception of
|
||||||
|
the policy ID which is immutable.
|
||||||
|
|
||||||
|
* `-rules=<string>` - The policy rules. May be prefixed with `@` to indicate that
|
||||||
|
the value is a file path to load the rules from. `-` may also be given to
|
||||||
|
indicate that the rules are available on stdin.
|
||||||
|
|
||||||
|
* `-valid-datacenter=<value>` - Datacenter that the policy should be valid within.
|
||||||
|
This flag may be specified multiple times.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Update a policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy update -id 35b8 -name "replication" -description "Policy capable of replication ACL policies and Intentions" -rules @rules.hcl
|
||||||
|
Policy updated successfully
|
||||||
|
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
||||||
|
Name: replication
|
||||||
|
Description: Policy capable of replication ACL policies and Intentions
|
||||||
|
Datacenters:
|
||||||
|
Rules:
|
||||||
|
acl = "read"
|
||||||
|
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
intentions = "read"
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Rename a policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl policy update -id 35b8 -name "dc1-replication"
|
||||||
|
Policy updated successfully
|
||||||
|
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
|
||||||
|
Name: dc1-replication
|
||||||
|
Description: Policy capable of replication ACL policies and Intentions
|
||||||
|
Datacenters: dc1
|
||||||
|
Rules:
|
||||||
|
acl = "read"
|
||||||
|
|
||||||
|
service_prefix "" {
|
||||||
|
policy = "read"
|
||||||
|
intentions = "read"
|
||||||
|
}
|
||||||
|
```
|
|
@ -0,0 +1,87 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Role"
|
||||||
|
sidebar_current: "docs-commands-acl-role"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Roles
|
||||||
|
|
||||||
|
Command: `consul acl role`
|
||||||
|
|
||||||
|
The `acl role` command is used to manage Consul's ACL roles.
|
||||||
|
It exposes commands for creating, updating, reading, deleting, and listing roles.
|
||||||
|
This command is available in Consul 1.5.0 and newer.
|
||||||
|
|
||||||
|
ACL roles may also be managed via the [HTTP API](/api/acl/roles.html).
|
||||||
|
|
||||||
|
-> **Note:** All of the example subcommands in this document will require a valid
|
||||||
|
Consul token with the appropriate permissions. Either set the
|
||||||
|
`CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the
|
||||||
|
secret ID as the value of the `-token` parameter.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl role <subcommand>`
|
||||||
|
|
||||||
|
For the exact documentation for your Consul version, run `consul acl
|
||||||
|
role -h` to view the complete list of subcommands.
|
||||||
|
|
||||||
|
```text
|
||||||
|
Usage: consul acl role <subcommand> [options] [args]
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Subcommands:
|
||||||
|
create Create an ACL role
|
||||||
|
delete Delete an ACL role
|
||||||
|
list Lists ACL roles
|
||||||
|
read Read an ACL role
|
||||||
|
update Update an ACL role
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information, examples, and usage about a subcommand, click on the name
|
||||||
|
of the subcommand in the sidebar.
|
||||||
|
|
||||||
|
## Identifying Roles
|
||||||
|
|
||||||
|
Several of the subcommands need to operate on a specific role. Those
|
||||||
|
subcommands support specifying the role by its ID using the `-id` parameter
|
||||||
|
or by name using the `-name` parameter.
|
||||||
|
|
||||||
|
When specifying the role by its ID a unique role ID prefix may be specified
|
||||||
|
instead of the entire UUID. As long as it is unique it will be resolved to the
|
||||||
|
full UUID and used.
|
||||||
|
|
||||||
|
## Basic Examples
|
||||||
|
|
||||||
|
Create a new ACL role:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role create -name "new-role" \
|
||||||
|
-description "This is an example role" \
|
||||||
|
-policy-id 06acc965
|
||||||
|
```
|
||||||
|
|
||||||
|
List all roles:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role list
|
||||||
|
```
|
||||||
|
|
||||||
|
Update a role:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role update -name "other-role" -datacenter "dc1"
|
||||||
|
```
|
||||||
|
|
||||||
|
Read a role:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role read -id 0479e93e-091c-4475-9b06-79a004765c24
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete a role
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role delete -name "my-role"
|
||||||
|
```
|
|
@ -0,0 +1,63 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Role Create"
|
||||||
|
sidebar_current: "docs-commands-acl-role-create"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Role Create
|
||||||
|
|
||||||
|
Command: `consul acl role create`
|
||||||
|
|
||||||
|
The `acl role create` command creates new roles.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl role create [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the role.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that role metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-name=<string>` - The new role's name. This flag is required.
|
||||||
|
|
||||||
|
* `-policy-id=<value>` - ID of a policy to use for this role. May be specified
|
||||||
|
multiple times
|
||||||
|
|
||||||
|
* `-policy-name=<value>` - Name of a policy to use for this role. May be
|
||||||
|
specified multiple times
|
||||||
|
|
||||||
|
* `-service-identity=<value>` - Name of a service identity to use for this
|
||||||
|
role. May be specified multiple times. Format is the `SERVICENAME` or
|
||||||
|
`SERVICENAME:DATACENTER1,DATACENTER2,...`
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Create a new role with one policy:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role create -name "crawler" -description "web crawler role" -policy-name "crawler-kv"
|
||||||
|
ID: 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
Name: crawler
|
||||||
|
Description: web crawler role
|
||||||
|
Policies:
|
||||||
|
2f8f99c7-edd9-2f09-7e4b-a1f519eb4fc2 - crawler-kv
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new role with one service identity:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role create -name archiver -description 'archiver role' -service-identity "archiver:dc2"
|
||||||
|
ID: a365fdc9-ac71-e754-0645-7ab6bd747301
|
||||||
|
Name: archiver
|
||||||
|
Description: archiver role
|
||||||
|
Service Identities:
|
||||||
|
archiver (Datacenters: dc2)
|
||||||
|
```
|
|
@ -0,0 +1,43 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Role Delete"
|
||||||
|
sidebar_current: "docs-commands-acl-role-delete"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Role Delete
|
||||||
|
|
||||||
|
Command: `consul acl role delete`
|
||||||
|
|
||||||
|
The `acl role delete` command deletes a role. Roles may be deleted by their ID or by name.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl role delete [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the role to delete. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple role IDs.
|
||||||
|
|
||||||
|
* `-name=<string>` - The Name of the role to delete.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Delete a role by prefix:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role delete -id 57147
|
||||||
|
Role "57147d87-6bf7-f794-1a6e-7d038c4e4ae9" deleted successfully
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete a role by name:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role delete -name crawler
|
||||||
|
Role "a365fdc9-ac71-e754-0645-7ab6bd747301" deleted successfully
|
||||||
|
```
|
|
@ -0,0 +1,69 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Role List"
|
||||||
|
sidebar_current: "docs-commands-acl-role-list"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Role List
|
||||||
|
|
||||||
|
Command: `consul acl role list`
|
||||||
|
|
||||||
|
The `acl role list` command lists all roles. By default it will not show metadata.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl role list`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-meta` - Indicates that role metadata such as the content hash and
|
||||||
|
Raft indices should be shown for each entry.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Default listing.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role list
|
||||||
|
web-crawler:
|
||||||
|
ID: 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
Description: web crawler updated role
|
||||||
|
Policies:
|
||||||
|
2f8f99c7-edd9-2f09-7e4b-a1f519eb4fc2 - crawler-kv
|
||||||
|
Service Identities:
|
||||||
|
crawler (Datacenters: all)
|
||||||
|
archiver:
|
||||||
|
ID: a365fdc9-ac71-e754-0645-7ab6bd747301
|
||||||
|
Description: archiver role
|
||||||
|
Service Identities:
|
||||||
|
archiver (Datacenters: dc2)
|
||||||
|
```
|
||||||
|
|
||||||
|
Show Metadata.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role list -meta
|
||||||
|
web-crawler:
|
||||||
|
ID: 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
Description: web crawler updated role
|
||||||
|
Hash: 3bd7c15a77c8d1d45c515378f1176df2e6f76d9c96d541f96de8272ff4dba7b5
|
||||||
|
Create Index: 18
|
||||||
|
Modify Index: 39
|
||||||
|
Policies:
|
||||||
|
2f8f99c7-edd9-2f09-7e4b-a1f519eb4fc2 - crawler-kv
|
||||||
|
Service Identities:
|
||||||
|
crawler (Datacenters: all)
|
||||||
|
archiver:
|
||||||
|
ID: a365fdc9-ac71-e754-0645-7ab6bd747301
|
||||||
|
Description: archiver role
|
||||||
|
Hash: 9af397ea92ee901366d6333c658195be16f4aee8aa64d2b529b921c879b70a58
|
||||||
|
Create Index: 22
|
||||||
|
Modify Index: 22
|
||||||
|
Service Identities:
|
||||||
|
archiver (Datacenters: dc2)
|
||||||
|
```
|
|
@ -0,0 +1,54 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Role Read"
|
||||||
|
sidebar_current: "docs-commands-acl-role-read"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Role Read
|
||||||
|
|
||||||
|
Command: `consul acl role read`
|
||||||
|
|
||||||
|
The `acl role read` command reads and displays a roles details.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl role read [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the role to read. It may be specified as a unique ID
|
||||||
|
prefix but will error if the prefix matches multiple role IDs.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that role metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-name=<string>` - The name of the role to read.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Get role details:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role read -id 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
ID: 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
Name: crawler
|
||||||
|
Description: web crawler role
|
||||||
|
Policies:
|
||||||
|
2f8f99c7-edd9-2f09-7e4b-a1f519eb4fc2 - crawler-kv
|
||||||
|
```
|
||||||
|
|
||||||
|
Get role details by name:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role read -name archiver
|
||||||
|
ID: a365fdc9-ac71-e754-0645-7ab6bd747301
|
||||||
|
Name: archiver
|
||||||
|
Description: archiver role
|
||||||
|
Service Identities:
|
||||||
|
archiver (Datacenters: dc2)
|
||||||
|
```
|
|
@ -0,0 +1,81 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Role Update"
|
||||||
|
sidebar_current: "docs-commands-acl-role-update"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Role Update
|
||||||
|
|
||||||
|
Command: `consul acl role update`
|
||||||
|
|
||||||
|
The `acl role update` command is used to update a role. The default operations is to merge the
|
||||||
|
current role with those values provided to the command invocation. Therefore to
|
||||||
|
update just one field, only the `-id` or `-name` options and the option to
|
||||||
|
modify must be provided. Note that renaming roles requires both the `-id` and
|
||||||
|
`-name` as the new name cannot yet be used to lookup the role.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl role update [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the role.
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the role to update. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple role IDs
|
||||||
|
|
||||||
|
* `-meta` - Indicates that role metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry
|
||||||
|
|
||||||
|
* `-name=<string>` - The role name.
|
||||||
|
|
||||||
|
* `-no-merge` - Do not merge the current role information with what is provided
|
||||||
|
to the command. Instead overwrite all fields with the exception of the role
|
||||||
|
ID which is immutable.
|
||||||
|
|
||||||
|
* `-policy-id=<value>` - ID of a policy to use for this role. May be specified
|
||||||
|
multiple times
|
||||||
|
|
||||||
|
* `-policy-name=<value>` - Name of a policy to use for this role. May be
|
||||||
|
specified multiple times
|
||||||
|
|
||||||
|
* `-service-identity=<value>` - Name of a service identity to use for this
|
||||||
|
role. May be specified multiple times. Format is the `SERVICENAME` or
|
||||||
|
`SERVICENAME:DATACENTER1,DATACENTER2,...`
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Update a role:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role update -id 57147d87-6bf7-f794-1a6e-7d038c4e4ae9 \
|
||||||
|
-description 'web crawler updated role' -service-identity 'crawler'
|
||||||
|
Role updated successfully
|
||||||
|
ID: 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
Name: crawler
|
||||||
|
Description: web crawler updated role
|
||||||
|
Policies:
|
||||||
|
2f8f99c7-edd9-2f09-7e4b-a1f519eb4fc2 - crawler-kv
|
||||||
|
Service Identities:
|
||||||
|
crawler (Datacenters: all)
|
||||||
|
```
|
||||||
|
|
||||||
|
Rename a role by prefix:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl role update -id 57147 -name web-crawler
|
||||||
|
Role updated successfully
|
||||||
|
ID: 57147d87-6bf7-f794-1a6e-7d038c4e4ae9
|
||||||
|
Name: web-crawler
|
||||||
|
Description: web crawler updated role
|
||||||
|
Policies:
|
||||||
|
2f8f99c7-edd9-2f09-7e4b-a1f519eb4fc2 - crawler-kv
|
||||||
|
Service Identities:
|
||||||
|
crawler (Datacenters: all)
|
||||||
|
```
|
|
@ -0,0 +1,93 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token"
|
||||||
|
sidebar_current: "docs-commands-acl-token"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Tokens
|
||||||
|
|
||||||
|
Command: `consul acl token`
|
||||||
|
|
||||||
|
The `acl token` command is used to manage Consul's ACL tokens.
|
||||||
|
It exposes commands for creating, updating, reading, deleting, and listing tokens.
|
||||||
|
This command is available in Consul 1.4.0 and newer.
|
||||||
|
|
||||||
|
ACL tokens may also be managed via the [HTTP API](/api/acl/tokens.html).
|
||||||
|
|
||||||
|
-> **Note:** All of the example subcommands in this document will require a valid
|
||||||
|
Consul token with the appropriate permissions. Either set the
|
||||||
|
`CONSUL_HTTP_TOKEN` environment variable to the token's secret ID or pass the
|
||||||
|
secret ID as the value of the `-token` parameter.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token <subcommand>`
|
||||||
|
|
||||||
|
For the exact documentation for your Consul version, run `consul acl
|
||||||
|
token -h` to view the complete list of subcommands.
|
||||||
|
|
||||||
|
```text
|
||||||
|
Usage: consul acl token <subcommand> [options] [args]
|
||||||
|
|
||||||
|
...
|
||||||
|
|
||||||
|
Subcommands:
|
||||||
|
clone Clone an ACL token
|
||||||
|
create Create an ACL token
|
||||||
|
delete Delete an ACL token
|
||||||
|
list List ACL tokens
|
||||||
|
read Read an ACL token
|
||||||
|
update Update an ACL token
|
||||||
|
```
|
||||||
|
|
||||||
|
For more information, examples, and usage about a subcommand, click on the name
|
||||||
|
of the subcommand in the sidebar.
|
||||||
|
|
||||||
|
## Identifying Tokens
|
||||||
|
|
||||||
|
Several of the subcommands need to operate on a specific token. Those
|
||||||
|
subcommands support specifying the token by its ID using the `-id` parameter.
|
||||||
|
|
||||||
|
The ID may be specified as a unique UUID prefix instead of the entire UUID. As
|
||||||
|
long as it is unique it will be resolve to the full UUID and used. Additionally
|
||||||
|
builtin token names will be accepted as the value of the `-id`.
|
||||||
|
|
||||||
|
Builtin Tokens:
|
||||||
|
|
||||||
|
| Token UUID | Token Name |
|
||||||
|
| ------------------------------------ | ----------------- |
|
||||||
|
| 00000000-0000-0000-0000-000000000002 | anonymous |
|
||||||
|
|
||||||
|
## Basic Examples
|
||||||
|
|
||||||
|
Create a new ACL token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token create \
|
||||||
|
-description "This is an example token" \
|
||||||
|
-policy-id 06acc965
|
||||||
|
```
|
||||||
|
|
||||||
|
List all tokens:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token list
|
||||||
|
```
|
||||||
|
|
||||||
|
Update a token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token update -id 986193 -description "WonderToken"
|
||||||
|
```
|
||||||
|
|
||||||
|
Read a token with an accessor ID:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token read -id 986193
|
||||||
|
```
|
||||||
|
|
||||||
|
Delete a token
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token delete -id 986193
|
||||||
|
```
|
|
@ -0,0 +1,45 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token Clone"
|
||||||
|
sidebar_current: "docs-commands-acl-token-clone"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Token Clone
|
||||||
|
|
||||||
|
Command: `consul acl token clone`
|
||||||
|
|
||||||
|
The `acl token clone` command clones an existing token.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token clone [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the new cloned token.
|
||||||
|
|
||||||
|
* `-id=<string>` - The Accessor ID of the token to clone. It may be specified
|
||||||
|
as a unique ID prefix but will error if the prefix matches multiple token
|
||||||
|
Accessor IDs. The special value of 'anonymous' may be provided instead of
|
||||||
|
the anonymous tokens accessor ID
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Clone a token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token clone -id 59f8 -description "Clone of Super User"
|
||||||
|
Token cloned successfully.
|
||||||
|
AccessorID: dcfa52ed-9288-b3ff-056d-255ef69d2d88
|
||||||
|
SecretID: 0005d17e-5bb2-7e8b-7bfa-15f2eee9ad14
|
||||||
|
Description: Clone of Super User
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 16:26:02.909096 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
00000000-0000-0000-0000-000000000001 - global-management
|
||||||
|
```
|
|
@ -0,0 +1,108 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token Create"
|
||||||
|
sidebar_current: "docs-commands-acl-token-create"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Token Create
|
||||||
|
|
||||||
|
Command: `consul acl token create`
|
||||||
|
|
||||||
|
This command creates new tokens. When creating a new token, policies may be linked using
|
||||||
|
either the `-policy-id` or the `-policy-name` options. When specifying policies by IDs you
|
||||||
|
may use a unique prefix of the UUID as a shortcut for specifying the entire UUID.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token create [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-accessor=<string>` - Create the token with this Accessor ID. It must be a UUID. If not
|
||||||
|
specified one will be auto-generated
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the token.
|
||||||
|
|
||||||
|
* `-expires-ttl=<duration>` - Duration of time this token should be valid for.
|
||||||
|
|
||||||
|
* `-local` - Create this as a datacenter local token.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that token metadata such as the content hash and raft indices should be shown
|
||||||
|
for each entry.
|
||||||
|
|
||||||
|
* `-policy-id=<value>` - ID of a policy to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-policy-name=<value>` - Name of a policy to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-role-id=<value>` - ID of a role to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-role-name=<value>` - Name of a role to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-service-identity=<value>` - Name of a service identity to use for this
|
||||||
|
token. May be specified multiple times. Format is the `SERVICENAME` or
|
||||||
|
`SERVICENAME:DATACENTER1,DATACENTER2,...`
|
||||||
|
|
||||||
|
* `-secret=<string>` - Create the token with this Secret ID. It must be a UUID. If not
|
||||||
|
specified one will be auto-generated.
|
||||||
|
**Note**: The SecretID is used to authorize operations against Consul and should
|
||||||
|
be generated from an appropriate cryptographic source.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Create a new token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965
|
||||||
|
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
||||||
|
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
||||||
|
Description: Read Nodes and Services
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new local token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
|
||||||
|
AccessorID: 4fdf0ec8-d251-3865-079c-7247c974fc50
|
||||||
|
SecretID: 02143514-abf2-6c23-0aa1-ec2107e68f6b
|
||||||
|
Description: Read Nodes and Services
|
||||||
|
Local: true
|
||||||
|
Create Time: 2018-10-22 15:34:19.330265 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new token and link with policies by name:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token create -description "Super User" -policy-name global-management
|
||||||
|
AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa
|
||||||
|
SecretID: ada7f751-f654-8872-7f93-498e799158b6
|
||||||
|
Description: Super User
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:35:28.787003 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
00000000-0000-0000-0000-000000000001 - global-management
|
||||||
|
```
|
||||||
|
|
||||||
|
Create a new token with one service identity that expires in 15 minutes:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token create -description 'crawler token' -service-identity 'crawler' -expires-ttl '15m'
|
||||||
|
AccessorID: 0c083aca-6c15-f0cc-c4d9-30578db54cd9
|
||||||
|
SecretID: 930dafb6-5c08-040b-23fb-a368a95256f9
|
||||||
|
Description: crawler token
|
||||||
|
Local: false
|
||||||
|
Create Time: 2019-04-25 16:45:49.337687334 -0500 CDT
|
||||||
|
Expiration Time: 2019-04-25 17:00:49.337687334 -0500 CDT
|
||||||
|
Service Identities:
|
||||||
|
crawler (Datacenters: all)
|
||||||
|
```
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token Delete"
|
||||||
|
sidebar_current: "docs-commands-acl-token-delete"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Token Delete
|
||||||
|
|
||||||
|
Command: `consul acl token delete`
|
||||||
|
|
||||||
|
The `acl token delete` command deletes a token.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token delete [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the token to delete. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple token IDs.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Delete a token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token delete -id 35b8
|
||||||
|
Token "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
|
||||||
|
```
|
|
@ -0,0 +1,64 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token List"
|
||||||
|
sidebar_current: "docs-commands-acl-token-list"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Token List
|
||||||
|
|
||||||
|
Command: `consul acl token list`
|
||||||
|
|
||||||
|
The `acl token list` command lists all tokens. By default it will not show metadata.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token list`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-meta` - Indicates that token metadata such as the content hash and
|
||||||
|
Raft indices should be shown for each entry.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Default listing.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token list
|
||||||
|
AccessorID: 4d123dff-f460-73c3-02c4-8dd64d136e01
|
||||||
|
Description: Bootstrap Token (Global Management)
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 11:27:04.479026 -0400 EDT
|
||||||
|
Legacy: false
|
||||||
|
Policies:
|
||||||
|
00000000-0000-0000-0000-000000000001 - global-management
|
||||||
|
|
||||||
|
AccessorID: 59f86a9b-d3b6-166c-32a0-be4ab3f94caa
|
||||||
|
Description: Super User
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:35:28.787003 -0400 EDT
|
||||||
|
Legacy: false
|
||||||
|
Policies:
|
||||||
|
00000000-0000-0000-0000-000000000001 - global-management
|
||||||
|
|
||||||
|
AccessorID: 00000000-0000-0000-0000-000000000002
|
||||||
|
Description: Anonymous Token
|
||||||
|
Local: false
|
||||||
|
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
||||||
|
Legacy: false
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
|
||||||
|
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
||||||
|
Description: WonderToken
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
||||||
|
Legacy: false
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
```
|
|
@ -0,0 +1,71 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token Read"
|
||||||
|
sidebar_current: "docs-commands-acl-token-read"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Token Read
|
||||||
|
|
||||||
|
Command: `consul acl token read`
|
||||||
|
|
||||||
|
The `acl token read` command reads and displays a token details.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token read [options] [args]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-id=<string>` - The ID of the policy to read. It may be specified as a unique ID
|
||||||
|
prefix but will error if the prefix matches multiple policy IDs.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that policy metadata such as the content hash and raft
|
||||||
|
indices should be shown for each entry.
|
||||||
|
|
||||||
|
* `-self` - Indicates that the current HTTP token should be read by secret ID
|
||||||
|
instead of expecting a -id option.
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Get token details:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token read -id 986
|
||||||
|
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
||||||
|
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
||||||
|
Description: Read Nodes and Services
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
```
|
||||||
|
|
||||||
|
Get token details using the token secret ID:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$consul acl token read -self
|
||||||
|
AccessorID: 4d123dff-f460-73c3-02c4-8dd64d136e01
|
||||||
|
SecretID: 86cddfb9-2760-d947-358d-a2811156bf31
|
||||||
|
Description: Bootstrap Token (Global Management)
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 11:27:04.479026 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
00000000-0000-0000-0000-000000000001 - global-management
|
||||||
|
```
|
||||||
|
|
||||||
|
Get token details (Builtin Tokens)
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token read -id anonymous
|
||||||
|
AccessorID: 00000000-0000-0000-0000-000000000002
|
||||||
|
SecretID: anonymous
|
||||||
|
Description: Anonymous Token
|
||||||
|
Local: false
|
||||||
|
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
||||||
|
Policies:
|
||||||
|
```
|
|
@ -0,0 +1,79 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: ACL Token Update"
|
||||||
|
sidebar_current: "docs-commands-acl-token-update"
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul ACL Token Update
|
||||||
|
|
||||||
|
Command: `consul acl token update`
|
||||||
|
|
||||||
|
The `acl token update` command will update a token. Some parts of the token like whether the
|
||||||
|
token is local to the datacenter cannot be changed.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul acl token update [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
<%= partial "docs/commands/http_api_options_server" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-description=<string>` - A description of the token
|
||||||
|
|
||||||
|
* `-id=<string>` - The Accessor ID of the token to read. It may be specified as a
|
||||||
|
unique ID prefix but will error if the prefix matches multiple token Accessor IDs
|
||||||
|
|
||||||
|
* `-merge-policies` - Merge the new policies with the existing policies.
|
||||||
|
|
||||||
|
* `-merge-roles` - Merge the new roles with the existing roles.
|
||||||
|
|
||||||
|
* `-merge-service-identities` - Merge the new service identities with the existing service identities.
|
||||||
|
|
||||||
|
* `-meta` - Indicates that token metadata such as the content hash and Raft indices should be
|
||||||
|
shown for each entry.
|
||||||
|
|
||||||
|
* `-policy-id=<value>` - ID of a policy to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-policy-name=<value>` - Name of a policy to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-role-id=<value>` - ID of a role to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-role-name=<value>` - Name of a role to use for this token. May be specified multiple times.
|
||||||
|
|
||||||
|
* `-service-identity=<value>` - Name of a service identity to use for this
|
||||||
|
token. May be specified multiple times. Format is the `SERVICENAME` or
|
||||||
|
`SERVICENAME:DATACENTER1,DATACENTER2,...`
|
||||||
|
|
||||||
|
## Examples
|
||||||
|
|
||||||
|
Update the anonymous token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token update -id anonymous -policy-id 06acc
|
||||||
|
Token updated successfully.
|
||||||
|
AccessorID: 00000000-0000-0000-0000-000000000002
|
||||||
|
SecretID: anonymous
|
||||||
|
Description: Anonymous Token
|
||||||
|
Local: false
|
||||||
|
Create Time: 0001-01-01 00:00:00 +0000 UTC
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
```
|
||||||
|
|
||||||
|
Update a token description and take the policies from the existing token:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul acl token update -id 986193 -description "WonderToken" -merge-policies
|
||||||
|
Token updated successfully.
|
||||||
|
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
|
||||||
|
SecretID: ec15675e-2999-d789-832e-8c4794daa8d7
|
||||||
|
Description: WonderToken
|
||||||
|
Local: false
|
||||||
|
Create Time: 2018-10-22 15:33:39.01789 -0400 EDT
|
||||||
|
Policies:
|
||||||
|
06acc965-df4b-5a99-58cb-3250930c6324 - node-services-read
|
||||||
|
```
|
|
@ -26,9 +26,11 @@ $ consul
|
||||||
Usage: consul [--version] [--help] <command> [<args>]
|
Usage: consul [--version] [--help] <command> [<args>]
|
||||||
|
|
||||||
Available commands are:
|
Available commands are:
|
||||||
|
acl Interact with Consul's ACLs
|
||||||
agent Runs a Consul agent
|
agent Runs a Consul agent
|
||||||
catalog Interact with the catalog
|
catalog Interact with the catalog
|
||||||
connect Interact with Consul Connect
|
connect Interact with Consul Connect
|
||||||
|
debug Records a debugging archive for operators
|
||||||
event Fire a new event
|
event Fire a new event
|
||||||
exec Executes a command on Consul nodes
|
exec Executes a command on Consul nodes
|
||||||
force-leave Forces a member of the cluster to enter the "left" state
|
force-leave Forces a member of the cluster to enter the "left" state
|
||||||
|
@ -40,6 +42,8 @@ Available commands are:
|
||||||
kv Interact with the key-value store
|
kv Interact with the key-value store
|
||||||
leave Gracefully leaves the Consul cluster and shuts down
|
leave Gracefully leaves the Consul cluster and shuts down
|
||||||
lock Execute a command holding a lock
|
lock Execute a command holding a lock
|
||||||
|
login Login to Consul using an auth method
|
||||||
|
logout Destroy a Consul token created with login
|
||||||
maint Controls node or service maintenance mode
|
maint Controls node or service maintenance mode
|
||||||
members Lists the members of a Consul cluster
|
members Lists the members of a Consul cluster
|
||||||
monitor Stream logs from a Consul agent
|
monitor Stream logs from a Consul agent
|
||||||
|
@ -48,6 +52,7 @@ Available commands are:
|
||||||
rtt Estimates network round trip time between nodes
|
rtt Estimates network round trip time between nodes
|
||||||
services Interact with services
|
services Interact with services
|
||||||
snapshot Saves, restores and inspects snapshots of Consul server state
|
snapshot Saves, restores and inspects snapshots of Consul server state
|
||||||
|
tls Builtin helpers for creating CAs and certificates
|
||||||
validate Validate config files/directories
|
validate Validate config files/directories
|
||||||
version Prints the Consul version
|
version Prints the Consul version
|
||||||
watch Watch for changes in Consul
|
watch Watch for changes in Consul
|
||||||
|
@ -138,6 +143,15 @@ are enabled, for example:
|
||||||
CONSUL_HTTP_TOKEN=aba7cbe5-879b-999a-07cc-2efd9ac0ffe
|
CONSUL_HTTP_TOKEN=aba7cbe5-879b-999a-07cc-2efd9ac0ffe
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### `CONSUL_HTTP_TOKEN_FILE`
|
||||||
|
|
||||||
|
This is a path to a file containing the API access token required when access
|
||||||
|
control lists (ACLs) are enabled, for example:
|
||||||
|
|
||||||
|
```
|
||||||
|
CONSUL_HTTP_TOKEN_FILE=/path/to/consul.token
|
||||||
|
```
|
||||||
|
|
||||||
### `CONSUL_HTTP_AUTH`
|
### `CONSUL_HTTP_AUTH`
|
||||||
|
|
||||||
This specifies HTTP Basic access credentials as a username:password pair:
|
This specifies HTTP Basic access credentials as a username:password pair:
|
||||||
|
|
|
@ -0,0 +1,50 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: Login"
|
||||||
|
sidebar_current: "docs-commands-login"
|
||||||
|
description: >
|
||||||
|
The `login` command will exchange the provided third party credentials with the requested auth method for a newly minted Consul ACL token.
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul Login
|
||||||
|
|
||||||
|
Command: `consul login`
|
||||||
|
|
||||||
|
The `login` command will exchange the provided third party credentials with the
|
||||||
|
requested auth method for a newly minted Consul ACL token. The companion
|
||||||
|
command `consul logout` should be used to destroy any tokens created this way
|
||||||
|
to avoid a resource leak.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul login [options]`
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
|
||||||
|
#### Command Options
|
||||||
|
|
||||||
|
* `-bearer-token-file=<string>` - Path to a file containing a secret bearer
|
||||||
|
token to use with this auth method.
|
||||||
|
|
||||||
|
* `-meta=<value>` - Metadata to set on the token, formatted as `key=value`. This
|
||||||
|
flag may be specified multiple times to set multiple meta fields.
|
||||||
|
|
||||||
|
* `-method=<string>` - Name of the auth method to login to.
|
||||||
|
|
||||||
|
* `-token-sink-file=<string>` - The most recent token's SecretID is kept up to
|
||||||
|
date in this file.
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
Login to an auth method.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul login -method 'minikube' \
|
||||||
|
-bearer-token-file '/run/secrets/kubernetes.io/serviceaccount/token' \
|
||||||
|
-token-sink-file 'consul.token'
|
||||||
|
|
||||||
|
$ cat consul.token
|
||||||
|
36103ae4-6731-e719-f53a-d35188cfa41d
|
||||||
|
```
|
|
@ -0,0 +1,34 @@
|
||||||
|
---
|
||||||
|
layout: "docs"
|
||||||
|
page_title: "Commands: Logout"
|
||||||
|
sidebar_current: "docs-commands-logout"
|
||||||
|
description: >
|
||||||
|
The `logout` command will destroy the provided token if it was created from `consul login`.
|
||||||
|
---
|
||||||
|
|
||||||
|
# Consul Logout
|
||||||
|
|
||||||
|
Command: `consul logout`
|
||||||
|
|
||||||
|
The `logout` command will destroy the provided token if it was created from
|
||||||
|
`consul login`.
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
Usage: `consul logout [options]`
|
||||||
|
|
||||||
|
-> The token to delete should be specified with the `-token` argument, the
|
||||||
|
`CONSUL_HTTP_TOKEN` environment variable, the `-token-file` argument, or the
|
||||||
|
`CONSUL_HTTP_TOKEN_FILE` environment variable.
|
||||||
|
|
||||||
|
#### API Options
|
||||||
|
|
||||||
|
<%= partial "docs/commands/http_api_options_client" %>
|
||||||
|
|
||||||
|
### Examples
|
||||||
|
|
||||||
|
Logout and delete a login token.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
$ consul logout -token-file 'consul.token'
|
||||||
|
```
|
|
@ -36,6 +36,15 @@
|
||||||
<li<%= sidebar_current("api-acl-policies") %>>
|
<li<%= sidebar_current("api-acl-policies") %>>
|
||||||
<a href="/api/acl/policies.html">Policies</a>
|
<a href="/api/acl/policies.html">Policies</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li<%= sidebar_current("api-acl-roles") %>>
|
||||||
|
<a href="/api/acl/roles.html">Roles</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("api-acl-auth-methods") %>>
|
||||||
|
<a href="/api/acl/auth-methods.html">Auth Methods</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("api-acl-binding-rules") %>>
|
||||||
|
<a href="/api/acl/binding-rules.html">Binding Rules</a>
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("api-agent") %>>
|
<li<%= sidebar_current("api-agent") %>>
|
||||||
|
|
|
@ -67,20 +67,117 @@
|
||||||
<li<%= sidebar_current("docs-commands-acl") %>>
|
<li<%= sidebar_current("docs-commands-acl") %>>
|
||||||
<a href="/docs/commands/acl.html">acl</a>
|
<a href="/docs/commands/acl.html">acl</a>
|
||||||
<ul class="nav">
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-auth-method") %>>
|
||||||
|
<a href="/docs/commands/acl/auth-method.html">auth-method</a>
|
||||||
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-auth-method-create") %>>
|
||||||
|
<a href="/docs/commands/acl/auth-method/create.html">create</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-auth-method-delete") %>>
|
||||||
|
<a href="/docs/commands/acl/auth-method/delete.html">delete</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-auth-method-list") %>>
|
||||||
|
<a href="/docs/commands/acl/auth-method/list.html">list</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-auth-method-read") %>>
|
||||||
|
<a href="/docs/commands/acl/auth-method/read.html">read</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-auth-method-update") %>>
|
||||||
|
<a href="/docs/commands/acl/auth-method/update.html">update</a>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-binding-rule") %>>
|
||||||
|
<a href="/docs/commands/acl/binding-rule.html">binding-rule</a>
|
||||||
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-binding-rule-create") %>>
|
||||||
|
<a href="/docs/commands/acl/binding-rule/create.html">create</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-binding-rule-delete") %>>
|
||||||
|
<a href="/docs/commands/acl/binding-rule/delete.html">delete</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-binding-rule-list") %>>
|
||||||
|
<a href="/docs/commands/acl/binding-rule/list.html">list</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-binding-rule-read") %>>
|
||||||
|
<a href="/docs/commands/acl/binding-rule/read.html">read</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-binding-rule-update") %>>
|
||||||
|
<a href="/docs/commands/acl/binding-rule/update.html">update</a>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
<li<%= sidebar_current("docs-commands-acl-bootstrap") %>>
|
<li<%= sidebar_current("docs-commands-acl-bootstrap") %>>
|
||||||
<a href="/docs/commands/acl/acl-bootstrap.html">bootstrap</a>
|
<a href="/docs/commands/acl/bootstrap.html">bootstrap</a>
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("docs-commands-acl-policy") %>>
|
<li<%= sidebar_current("docs-commands-acl-policy") %>>
|
||||||
<a href="/docs/commands/acl/acl-policy.html">policy</a>
|
<a href="/docs/commands/acl/policy.html">policy</a>
|
||||||
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-policy-create") %>>
|
||||||
|
<a href="/docs/commands/acl/policy/create.html">create</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-policy-delete") %>>
|
||||||
|
<a href="/docs/commands/acl/policy/delete.html">delete</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-policy-list") %>>
|
||||||
|
<a href="/docs/commands/acl/policy/list.html">list</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-policy-read") %>>
|
||||||
|
<a href="/docs/commands/acl/policy/read.html">read</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-policy-update") %>>
|
||||||
|
<a href="/docs/commands/acl/policy/update.html">update</a>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-role") %>>
|
||||||
|
<a href="/docs/commands/acl/role.html">role</a>
|
||||||
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-role-create") %>>
|
||||||
|
<a href="/docs/commands/acl/role/create.html">create</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-role-delete") %>>
|
||||||
|
<a href="/docs/commands/acl/role/delete.html">delete</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-role-list") %>>
|
||||||
|
<a href="/docs/commands/acl/role/list.html">list</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-role-read") %>>
|
||||||
|
<a href="/docs/commands/acl/role/read.html">read</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-role-update") %>>
|
||||||
|
<a href="/docs/commands/acl/role/update.html">update</a>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("docs-commands-acl-set-agent-token") %>>
|
<li<%= sidebar_current("docs-commands-acl-set-agent-token") %>>
|
||||||
<a href="/docs/commands/acl/acl-set-agent-token.html">set-agent-token</a>
|
<a href="/docs/commands/acl/set-agent-token.html">set-agent-token</a>
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("docs-commands-acl-token") %>>
|
<li<%= sidebar_current("docs-commands-acl-token") %>>
|
||||||
<a href="/docs/commands/acl/acl-token.html">token</a>
|
<a href="/docs/commands/acl/token.html">token</a>
|
||||||
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-token-clone") %>>
|
||||||
|
<a href="/docs/commands/acl/token/clone.html">clone</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-token-create") %>>
|
||||||
|
<a href="/docs/commands/acl/token/create.html">create</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-token-delete") %>>
|
||||||
|
<a href="/docs/commands/acl/token/delete.html">delete</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-token-list") %>>
|
||||||
|
<a href="/docs/commands/acl/token/list.html">list</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-token-read") %>>
|
||||||
|
<a href="/docs/commands/acl/token/read.html">read</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-acl-token-update") %>>
|
||||||
|
<a href="/docs/commands/acl/token/update.html">update</a>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
<li<%= sidebar_current("docs-commands-acl-translate-rules") %>>
|
<li<%= sidebar_current("docs-commands-acl-translate-rules") %>>
|
||||||
<a href="/docs/commands/acl/acl-translate-rules.html">translate-rules</a>
|
<a href="/docs/commands/acl/translate-rules.html">translate-rules</a>
|
||||||
</li>
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
|
@ -207,6 +304,12 @@
|
||||||
<li<%= sidebar_current("docs-commands-lock") %>>
|
<li<%= sidebar_current("docs-commands-lock") %>>
|
||||||
<a href="/docs/commands/lock.html">lock</a>
|
<a href="/docs/commands/lock.html">lock</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-login") %>>
|
||||||
|
<a href="/docs/commands/login.html">login</a>
|
||||||
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-commands-logout") %>>
|
||||||
|
<a href="/docs/commands/logout.html">logout</a>
|
||||||
|
</li>
|
||||||
<li<%= sidebar_current("docs-commands-maint") %>>
|
<li<%= sidebar_current("docs-commands-maint") %>>
|
||||||
<a href="/docs/commands/maint.html">maint</a>
|
<a href="/docs/commands/maint.html">maint</a>
|
||||||
</li>
|
</li>
|
||||||
|
@ -347,6 +450,14 @@
|
||||||
<li<%= sidebar_current("docs-acl-migration") %>>
|
<li<%= sidebar_current("docs-acl-migration") %>>
|
||||||
<a href="/docs/acl/acl-migrate-tokens.html">Token Migration</a>
|
<a href="/docs/acl/acl-migrate-tokens.html">Token Migration</a>
|
||||||
</li>
|
</li>
|
||||||
|
<li<%= sidebar_current("docs-acl-auth-methods") %>>
|
||||||
|
<a href="/docs/acl/acl-auth-methods.html">Auth Methods</a>
|
||||||
|
<ul class="nav">
|
||||||
|
<li<%= sidebar_current("docs-acl-auth-methods-kubernetes") %>>
|
||||||
|
<a href="/docs/acl/auth-methods/kubernetes.html">Kubernetes</a>
|
||||||
|
</li>
|
||||||
|
</ul>
|
||||||
|
</li>
|
||||||
</ul>
|
</ul>
|
||||||
</li>
|
</li>
|
||||||
|
|
||||||
|
|
|
@ -49,6 +49,13 @@
|
||||||
/docs/guides/bootstrapping.html https://www.consul.io/docs/install/bootstrapping.html
|
/docs/guides/bootstrapping.html https://www.consul.io/docs/install/bootstrapping.html
|
||||||
/docs/guides/sentinel.html https://www.consul.io/docs/agent/sentinel.html
|
/docs/guides/sentinel.html https://www.consul.io/docs/agent/sentinel.html
|
||||||
|
|
||||||
|
# CLI renames
|
||||||
|
/docs/commands/acl/acl-bootstrap.html https://www.consul.io/docs/commands/acl/bootstrap.html
|
||||||
|
/docs/commands/acl/acl-policy.html https://www.consul.io/docs/commands/acl/policy.html
|
||||||
|
/docs/commands/acl/acl-set-agent-token.html https://www.consul.io/docs/commands/acl/set-agent-token.html
|
||||||
|
/docs/commands/acl/acl-token.html https://www.consul.io/docs/commands/acl/token.html
|
||||||
|
/docs/commands/acl/acl-translate-rules.html https://www.consul.io/docs/commands/acl/translate-rules.html
|
||||||
|
|
||||||
# Consul Learn Redirects
|
# Consul Learn Redirects
|
||||||
/docs/guides/acl.html https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide
|
/docs/guides/acl.html https://learn.hashicorp.com/consul/advanced/day-1-operations/acl-guide
|
||||||
/docs/guides/agent-encryption.html https://learn.hashicorp.com/consul/advanced/day-1-operations/agent-encryption
|
/docs/guides/agent-encryption.html https://learn.hashicorp.com/consul/advanced/day-1-operations/agent-encryption
|
||||||
|
|
Loading…
Reference in New Issue