Learn the HashiCorp Enterprise Suite 
» Consul ACL Policies
Command: consul acl policy
The acl policy command is used to manage Consul's ACL policies. There are
subcommands for the individual operations that can be performed.
ACL policies are also accessible via the HTTP API.
Usage: consul acl policy <subcommand> [options] [args]
Note: All of the examples show for the subcommands will require a valid Consul token with the appropriate permissions.
Either set the CONSUL_HTTP_TOKEN environment variable to the tokens secret ID or pass the secret ID as the value of the -token
parameter.
» Identitying Polices
In several of the subcommands a policy will have to be identified to be read, modified or deleted. Those subcommands support
specifying the policy by its ID using the -id parameter or by name using the -name parameter. When specifying the policy
by its ID a unique policy ID prefix may be specified instead of the entire UUID. As long as it is unique it will be resolved
to the full UUID and used. Additionally builtin policy names will be accepted as the value to the -id parameter. Even if
the builtin policies are renamed their original name can be used to operate on them.
Builtin Policies:
| Policy UUID | Policy Name |
|---|---|
| 00000000-0000-0000-0000-000000000001 | global-management |
» Common Subcommand Options
All of the consul acl policy subcommands support the following options:
-ca-file=<value>- Path to a CA file to use for TLS when communicating with Consul. This can also be specified via theCONSUL_CACERTenvironment variable.-ca-path=<value>- Path to a directory of CA certificates to use for TLS when communicating with Consul. This can also be specified via theCONSUL_CAPATHenvironment variable.-client-cert=<value>- Path to a client cert file to use for TLS whenverify_incomingis enabled. This can also be specified via theCONSUL_CLIENT_CERTenvironment variable.-client-key=<value>- Path to a client key file to use for TLS whenverify_incomingis enabled. This can also be specified via theCONSUL_CLIENT_KEYenvironment variable.-http-addr=<addr>- Address of the Consul agent with the port. This can be an IP address or DNS address, but it must include the port. This can also be specified via theCONSUL_HTTP_ADDRenvironment variable. In Consul 0.8 and later, the default value is http://127.0.0.1:8500, and https can optionally be used instead. The scheme can also be set to HTTPS by setting the environment variableCONSUL_HTTP_SSL=true. This may be a unix domain socket usingunix:///path/to/socketif the agent is configured to listen that way.-tls-server-name=<value>- The server name to use as the SNI host when connecting via TLS. This can also be specified via theCONSUL_TLS_SERVER_NAMEenvironment variable.-token=<value>- ACL token to use in the request. This can also be specified via theCONSUL_HTTP_TOKENenvironment variable. If unspecified, the query will default to the token of the Consul agent at the HTTP address.
-datacenter=<name>- Name of the datacenter to query. If unspecified, the query will default to the datacenter of the Consul agent at the HTTP address.-stale- Permit any Consul server (non-leader) to respond to this request. This allows for lower latency and higher throughput, but can result in stale data. This option has no effect on non-read operations. The default value is false.
»
create
Command: consul acl policy create
This command creates new policies. The policies rules can either be set explicitly or the
-from-token parameter may be used to load the rules from a legacy ACL token. When loading
the rules from an existing legacy ACL token, the rules get translated from the legacy syntax
to the new syntax.
Both the -rules and -from-token parameter values allow loading the value
from stdin, a file or the raw value. To use stdin pass - as the value.
To load the value from a file prefix the value with an @. Any other
values will be used directly.
Deprecated: The -from-token and -token-secret arguments exist only as a convenience
to make legacy ACL migration easier. These will be removed in a future major release when
support for the legacy ACL system is removed.
» Usage
Usage: consul acl policy create [options] [args]
» Options
-description=<string>- A description of the policy.-from-token=<string>- The legacy token to retrieve the rules for when creating this policy. When this is specified no other rules should be given. Similar to the -rules option the token to use can be loaded from stdin or from a file.-meta- Indicates that policy metadata such as the content hash and raft indices should be shown for each entry.-name=<string>- The new policies name. This flag is required.-rules=<string>- The policy rules. May be prefixed with '@' to indicate that the value is a file path to load the rules from. '-' may also be given to indicate that the rules are available on stdin.-token-secret- Indicates the token provided with -from-token is a SecretID and not an AccessorID.-valid-datacenter=<value>- Datacenter that the policy should be valid within. This flag may be specified multiple times.
» Examples
Create a new policy that is valid in all datacenters:
$ consul acl policy create -name "acl-replication" -description "Policy capable of replicating ACL policies" -rules 'acl = "read"'
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
Name: acl-replication
Description: Policy capable of replicating ACL policies
Datacenters:
Rules:
acl = "read"
Create a new policy valid only in specific datacenters with rules read from a file:
$ consul acl policy create -name "replication" -description "Replication" -rules @rules.hcl -valid-datacenter dc1 -valid-datacenter dc2
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
Name: replication
Description: Replication
Datacenters: dc1, dc2
Rules:
acl = "read"
service_prefix "" {
policy = "read"
intentions = "read"
}
Create a new policy with rules equivalent to that of a legacy ACL token:
$ consul acl policy create -name "node-services-read" -from-token 5793a5ce -description "Can read any node and service"
ID: 06acc965-df4b-5a99-58cb-3250930c6324
Name: node-services-read
Description: Can read any node and service
Datacenters:
Rules:
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}
»
read
Command: consul acl policy read
This command reads and displays a policies details.
» Usage
Usage: consul acl policy read [options] [args]
» Options
-id=<string>- The ID of the policy to read. It may be specified as a unique ID prefix but will error if the prefix matches multiple policy IDs.-meta- Indicates that policy metadata such as the content hash and raft indices should be shown for each entry.-name=<string>- The name of the policy to read.
» Examples
Get policy details:
$ consul acl policy read -id 00000000-0000-0000-0000-000000000001
ID: 00000000-0000-0000-0000-000000000001
Name: global-management
Description: Builtin Policy that grants unlimited access
Datacenters:
Rules:
acl = "write"
agent_prefix "" {
policy = "write"
}
event_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "write"
}
keyring = "write"
node_prefix "" {
policy = "write"
}
operator = "write"
query_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "write"
intentions = "write"
}
session_prefix "" {
policy = "write"
}
Get policy details by name:
$ consul acl policy read -name "acl-replication"
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
Name: acl-replication
Description: Token capable of replicating ACL policies
Datacenters:
Rules:
acl = "read"
Get policy details (Builtin Policies):
Builtin policies can be accessed by specifying their original name as the value to the -id parameter.
$ consul acl policy read -id global-management
ID: 00000000-0000-0000-0000-000000000001
Name: global-management
Description: Builtin Policy that grants unlimited access
Datacenters:
Hash: b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
Create Index: 4
Modify Index: 4
Rules:
acl = "write"
agent_prefix "" {
policy = "write"
}
event_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "write"
}
keyring = "write"
node_prefix "" {
policy = "write"
}
operator = "write"
query_prefix "" {
policy = "write"
}
service_prefix "" {
policy = "write"
intentions = "write"
}
session_prefix "" {
policy = "write"
}
»
update
Command: consul acl policy update
This command is used to update a policy. The default operations is to merge the current policy
with those values provided to the command invocation. Therefore to update just one field, only
the -id or -name options and the option to modify must be provided. Note that renaming
policies requires both the -id and -name as the new name cannot yet be used to lookup the
policy.
» Usage
Usage: consul acl policy update [options] [args]
» Options
-description=<string>- A description of the policy.-id=<string>- The ID of the policy to update. It may be specified as a unique ID prefix but will error if the prefix matches multiple policy IDs-meta- Indicates that policy metadata such as the content hash and raft indices should be shown for each entry-name=<string>- The policies name.-no-merge- Do not merge the current policy information with what is provided to the command. Instead overwrite all fields with the exception of the policy ID which is immutable.-rules=<string>- The policy rules. May be prefixed with@to indicate that the value is a file path to load the rules from.-may also be given to indicate that the rules are available on stdin.-valid-datacenter=<value>- Datacenter that the policy should be valid within. This flag may be specified multiple times.
» Examples
Update a policy:
$ consul acl policy update -id 35b8 -name "replication" -description "Policy capable of replication ACL policies and Intentions" -rules @rules.hcl
Policy updated successfully
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
Name: replication
Description: Policy capable of replication ACL policies and Intentions
Datacenters:
Rules:
acl = "read"
service_prefix "" {
policy = "read"
intentions = "read"
}
Rename a policy:
$ consul acl policy update -id 35b8 -name "dc1-replication"
Policy updated successfully
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
Name: dc1-replication
Description: Policy capable of replication ACL policies and Intentions
Datacenters: dc1
Rules:
acl = "read"
service_prefix "" {
policy = "read"
intentions = "read"
}
»
delete
Command: consul acl policy delete
This command deletes a policy. Policies may be deleted by their ID or by name.
» Usage
Usage: consul acl policy delete [options]
» Options
-id=<string>- The ID of the policy to delete. It may be specified as a unique ID prefix but will error if the prefix matches multiple policy IDs.-name=<string>- The Name of the policy to delete.
» Examples
Delete a policy:
$ consul acl policy delete -id 35b8
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
Delete a policy by name:
$ consul acl policy delete -name acl-replication
Policy "35b8ecb0-707c-ee18-2002-81b238b54b38" deleted successfully
»
list
Command: consul acl policy list
This command lists all policies. By default it will not show metadata.
» Usage
Usage: consul acl policy list
» Options
-meta- Indicates that policy metadata such as the content hash and Raft indices should be shown for each entry.
» Examples
Default listing.
$ consul acl policy list
global-management:
ID: 00000000-0000-0000-0000-000000000001
Description: Builtin Policy that grants unlimited access
Datacenters:
acl-replication:
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
Description: Policy capable of replicating ACL policies
Datacenters:
Show Metadata.
$ consul acl policy list -meta
global-management:
ID: 00000000-0000-0000-0000-000000000001
Description: Builtin Policy that grants unlimited access
Datacenters:
Hash: b30210b7aba9facd1c57891e3df27669174a08b690cb2905e0797535f75eba69
Create Index: 4
Modify Index: 4
node-services-read:
ID: 06acc965-df4b-5a99-58cb-3250930c6324
Description: Can read any node and service
Datacenters:
Hash: 19d2a73dcd315506af73bfff1492779a0dc0235066fcac07f432fb2cc3402133
Create Index: 244
Modify Index: 244
acl-replication:
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
Description: Token capable of replicating ACL policies
Datacenters: dc1, dc2
Hash: b94669679cc24e0d064412e4aa90b470b7f900a8e0801f65feaf1f7d716a5390
Create Index: 198
Modify Index: 198