HashiCorp Certified: Consul Associate Certification

Secure Services with Basic ACLs

Objective 8 Section Recap

In this section, we reviewed how to secure your services using HashiCorp Consul’s Access Control List (ACL) system. You’ll walk away with a clear understanding of bootstrapping ACLs, defining policies, managing token lifecycles, and authenticating requests.

Key Topics Overview

TopicDescription
ACL BootstrappingEnable ACLs, initialize the management token, and verify ACL-enabled mode
Policy CreationWrite ACL policies in HCL or JSON; apply them via UI, CLI, and HTTP API
Token LifecycleCreate multi-policy, role-attached, and service-identity tokens; set expirations; revoke tokens
Authentication MethodsUse CLI flags or CONSUL_HTTP_TOKEN, HTTP headers (X-Consul-Token or Authorization), and UI

Detailed Recap

1. Bootstrapping and Configuration

  • Enable ACL enforcement in your Consul configuration.
  • Initialize the ACL system to generate the management token.
  • Confirm ACL mode with:
    consul acl status
    

Note

If you’re running Consul in a cluster, ensure all agents join with -enable-agent and share the same ACL configuration.

2. Creating and Managing Policies

  • Define policies in HCL or JSON syntax.
  • Apply policies with the CLI:
    consul acl policy create -name "web-policy" -rules @web-policy.hcl
    
  • Or via HTTP API:
    PUT /v1/acl/policy
    
  • You can also manage policies inside the Consul UI under Access ControlPolicies.

3. Token Lifecycle Management

  • Create Tokens: single-policy, multi-policy, role-attached, or service-identity tokens.
    consul acl token create -description "service-xyz" -policy-name web-policy
    
  • Set Expiration: use the -expire-time flag for time-to-live.
  • Revocation: revoke unused or compromised tokens immediately:
    consul acl token revoke <token_id>
    

Warning

Always revoke tokens as soon as they’re no longer needed to minimize security risks.

4. Authenticating Requests

  • CLI:
    export CONSUL_HTTP_TOKEN=<your-token>
    consul kv put foo bar
    
    Or pass --token=<your-token>.
  • HTTP API: include the header:
    X-Consul-Token: <your-token>
    
    or
    Authorization: Bearer <your-token>
    
  • UI: log in using a browser session token via Access ControlTokens.

The image outlines objectives for securing services with Access Control Lists (ACLs), including setting up an ACL system, creating policies, managing token lifecycles, and performing CLI and API requests using tokens. It also indicates a difficulty level of 2.


Next Steps

With these building blocks in place—bootstrapping ACLs, defining policies, issuing/revoking tokens, and authenticating requests—you’re ready to implement robust Service Mesh security in your environment.

Further Reading

Watch Video

Watch video content

Previous
Demo Using Tokens with the Consul API