consul

Secure Your Consul Cluster with Access Control Lists

Jan 29 2019Kaitlin Carter

In Consul version 1.4.0, we released an improved Access Control List (ACL) system. Consul’s ACLs can be configured to secure the Consul UI, HTTP API, Consul CLI, service communications within the datacenter, and node communications. For production datacenters, ACLs are recommended.

At its core, ACLs operate by grouping rules into policies, then associating one or more policies with a token. With this flexibility, you can structure your ACL system to fit your security requirements and threat models. However, we recommend at least having a default policy of deny all, meaning all requests need to be authenticated and authorized. For a secure datacenter, each node and every service should have its own privelages. For example, each node should get an ACL agent token with node write privileges for just its own node name and service read privileges for just the service prefixes expected to be registered on that client.

»Configuring ACLs

After upgrading to Consul 1.4.0 or newer, you will need to migrate your ACL tokens. This will allow you to benefit from the redesigned system, without needing to bootstrap the entire system again.

If you are setting up ACLs for the first time, we recommend following the Bootstrapping ACLs Guide on HashiCorp’s Learn site. The initial bootstrapping process can be completed in six steps:

  1. Enable ACLs on all the servers.
  2. Create the bootstrap token.
  3. Create an agent policy.
  4. Create an agent token.
  5. Enable ACLs on all the clients.

The guide also covers several optional steps including; configuring the anonymous token and creating a token for the UI.

The initial steps in the guide are only a starting point and will create a minimally secure datacenter, operators will need to take further actions to create a more secure datacenter. To start, we recommend each client get an ACL agent token with node write privileges for just its own node name and service read privileges for just the service prefixes expected to be registered on that client.

»Further Considerations

If you would like to learn more about the ACL system, we recommend reading the overview ACL documentation and the ACL Rules documentation.

Sign up for the latest HashiCorp news

By submitting this form, you acknowledge and agree that HashiCorp will process your personal information in accordance with the Privacy Policy.

More blog posts like this one

A blueprint for cloud success with HashiCorp at Google Cloud Next
April 11 2024 | Products & Technology
A blueprint for cloud success with HashiCorp at Google Cloud Next

A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.

Seamlessly migrate from Consul service discovery to service mesh
March 11 2024 | Products & Technology
Seamlessly migrate from Consul service discovery to service mesh

Try this example method for transitioning from Consul service discovery to service mesh without affecting uptimes or development teams.

Consul 1.18 GA improves enterprise reliability with Long-Term Support
March 06 2024 | Products & Technology
Consul 1.18 GA improves enterprise reliability with Long-Term Support

Consul 1.18 improves enterprise reliability with Long-Term Support, fault-injection capabilities, and expanded Amazon ECS support for multi-runtime deployments.