In Consul version 1.4.0, we released an improved Access Control List (ACL) system. Consul’s ACLs can be configured to secure the Consul UI, HTTP API, Consul CLI, service communications within the datacenter, and node communications. For production datacenters, ACLs are recommended.
At its core, ACLs operate by grouping rules into policies, then associating one or more policies with a token. With this flexibility, you can structure your ACL system to fit your security requirements and threat models. However, we recommend at least having a default policy of deny all
, meaning all requests need to be authenticated and authorized. For a secure datacenter, each node and every service should have its own privelages. For example, each node should get an ACL agent token with node
write privileges for just its own node name and service
read privileges for just the service prefixes expected to be registered on that client.
After upgrading to Consul 1.4.0 or newer, you will need to migrate your ACL tokens. This will allow you to benefit from the redesigned system, without needing to bootstrap the entire system again.
If you are setting up ACLs for the first time, we recommend following the Bootstrapping ACLs Guide on HashiCorp’s Learn site. The initial bootstrapping process can be completed in six steps:
The guide also covers several optional steps including; configuring the anonymous token and creating a token for the UI.
The initial steps in the guide are only a starting point and will create a minimally secure datacenter, operators will need to take further actions to create a more secure datacenter. To start, we recommend each client get an ACL agent token with node write
privileges for just its own node name and service read
privileges for just the service prefixes expected to be registered on that client.
If you would like to learn more about the ACL system, we recommend reading the overview ACL documentation and the ACL Rules documentation.
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.
Try this example method for transitioning from Consul service discovery to service mesh without affecting uptimes or development teams.
Consul 1.18 improves enterprise reliability with Long-Term Support, fault-injection capabilities, and expanded Amazon ECS support for multi-runtime deployments.