Beta

HashiCorp Certified: Consul Associate Certification

Secure Services with Basic ACLs

Demo Creating ACL Tokens

In this tutorial, you’ll learn how to generate a new ACL token for the Consul agent on web-server-01, leveraging the existing eCommerce policy. We’ll cover:

  1. Reviewing existing ACL policies
  2. Creating a new token
  3. Automating token generation

1. Review Existing Policies

Before assigning a token, confirm which ACL policies exist in your Consul cluster.

Warning

Attempting to list policies without a valid token will result in a permission error.

$ consul acl policy list
Failed to retrieve the policy list: Unexpected response code: 403 (Permission denied)

Supply the bootstrap token to view the policy definitions:

$ consul acl policy list \
    -token c7142d5a-9ab1-78ba-f521-189971e29c24

Sample Output

eCommerce:
  ID:          f333e9a4-dff7-05ac-75a3-98ee4087e868
  Namespace:   default
  Description: eCommerce App
  Datacenters:
global-management:
  ID:          00000000-0000-0000-0000-000000000001
  Namespace:   default
  Description: Builtin Policy that grants unlimited access
  Datacenters:

2. Create a New Token

Now generate a scoped ACL token bound to your eCommerce policy. Replace the -policy-id value with the actual Policy ID obtained above.

$ consul acl token create \
    -description "Token for web-server-01" \
    -policy-id f333e9a4-dff7-05ac-75a3-98ee4087e868 \
    -token c7142d5a-9ab1-78ba-f521-189971e29c24

Expected Response

AccessorID: 574957bd-ba25-43b6-a16b-7a7494ee7fea
SecretID:   d46811f8-21ff-f41c-9c3a-6acbe8c04905
Namespace:  default
Description: Token for web-server-01
Create Time: 2021-02-12 20:32:29.966523914 +0000 UTC
Policies:
- f333e9a4-dff7-05ac-75a3-98ee4087e868  eCommerce

The SecretID value is the actual token you will configure on web-server-01 for secure Consul access.

3. Automating Token Generation

For large-scale or production environments, manual token creation can become error-prone. Consider using HashiCorp Vault’s Consul secrets engine to dynamically issue ACL tokens:

  • Define roles in Vault that map to Consul policies.
  • Vault will automatically provision short-lived tokens.
  • Centralize token lifecycle management and auditing.

Note

Dynamic token issuance reduces manual errors, enforces least privilege, and simplifies rotation.

Policy Overview

Policy NamePolicy IDDescription
eCommercef333e9a4-dff7-05ac-75a3-98ee4087e868Grants permissions needed by web-server-01
global-management00000000-0000-0000-0000-000000000001Built-in policy with unrestricted access

Watch Video

Watch video content

Practice Lab

Practice lab

Previous
Creating and Managing ACL Tokens
Next
Perform a UI task using a Token