ACL policy for DNS and UI


As defined in the documentation …

Consul's DNS interface is also affected by restrictions on node rules. If the acl.token.default used by the agent does not have "read" access to a given node, then the DNS interface will return no records when queried for it.

So I changed on my consul cluster this parameter with the appropriate policy.
It is working correctly for DNS.

However the UI is open in readonly mode. Is-it possible to restrict the usage of UI by ACL but to keep the DNS working ?

When I changed the ACL policies, the web UI was asking for a token but the DNS didn’t work anymore.


There is currently no way to use a different token for the HTTP API vs DNS.

There is the open issue which somewhere buried in there brings up this fact:

I would recommend you add information about your use case and needs to that issue so that we can gauge community interest and needs to plan work appropriately.

1 Like