Secure Your Consul Cluster with Access Control Lists
In Consul version 1.4.0, we released an improved Access Control List (ACL) system. Consul’s ACLs can be configured to secure the Consul UI, HTTP API, Consul CLI, service communications within the datacenter, and node communications. For production datacenters, ACLs are recommended.
At its core, ACLs operate by grouping rules into policies, then associating one or more policies with a token. With this flexibility, you can structure your ACL system to fit your security requirements and threat models. However, we recommend at least having a default policy of deny all
, meaning all requests need to be authenticated and authorized. For a secure datacenter, each node and every service should have its own privelages. For example, each node should get an ACL agent token with node
write privileges for just its own node name and service
read privileges for just the service prefixes expected to be registered on that client.
» Configuring ACLs
After upgrading to Consul 1.4.0 or newer, you will need to migrate your ACL tokens. This will allow you to benefit from the redesigned system, without needing to bootstrap the entire system again.
If you are setting up ACLs for the first time, we recommend following the Bootstrapping ACLs Guide on HashiCorp’s Learn site. The initial bootstrapping process can be completed in six steps:
- Enable ACLs on all the servers.
- Create the bootstrap token.
- Create an agent policy.
- Create an agent token.
- Enable ACLs on all the clients.
The guide also covers several optional steps including; configuring the anonymous token and creating a token for the UI.
The initial steps in the guide are only a starting point and will create a minimally secure datacenter, operators will need to take further actions to create a more secure datacenter. To start, we recommend each client get an ACL agent token with node write
privileges for just its own node name and service read
privileges for just the service prefixes expected to be registered on that client.
» Further Considerations
If you would like to learn more about the ACL system, we recommend reading the overview ACL documentation and the ACL Rules documentation.
Sign up for the latest HashiCorp news
More blog posts like this one
HashiCorp at AWS re:Invent: Your blueprint to cloud success
If you’re attending AWS re:Invent in Las Vegas, Dec. 2 - Dec. 6th, visit us for breakout sessions, expert talks, and product demos to learn how to take a unified approach to Infrastructure and Security Lifecycle Management.
Consul 1.20 improves multi-tenancy, metrics, and OpenShift deployment
HashiCorp Consul 1.20 is a significant upgrade for the Kubernetes operator and developer experience, including better multi-tenant service discovery, catalog registration metrics, and secure OpenShift integration.
New SLM offerings for Vault, Boundary, and Consul at HashiConf 2024 make security easier
The latest Security Lifecycle Management (SLM) features from HashiCorp Vault, Boundary, and Consul help organizations offer a smoother path to better security practices for developers.