ACLs required for Connect and sidecar proxies

Attempting to follow along with the introductory Consul Connect / proxy guide here: Getting Started with Connect guide

I already have a cluster which is configured with ACLs in default deny mode, so I had to do extra things to make it work and I wanted to make sure this was the expected set…

I created a token and policy for the “socat” service for registering that, the policy needed to be:

service "socat" { policy = "write" }
service "socat-sidecar-proxy" { policy = "write" }

… without this the service registration would fail.

For the “web” service, I needed:

service "web" { policy = "write" }
service "web-sidecar-proxy" { policy = "write" }
service "socat" { policy = "read" }
service "socat-sidecar-proxy" { policy = "read" }
node_prefix "" { policy = "read" }

… the two “write” policies were necessary to register the service and start the proxy, but it did not work and would not see that the “socat” service was healthy.

Adding the three “read” policies seemed to be necessary. I sort of understand the need to read the service for the upstream, but the “node_prefix” policy was very confusing, and I only discovered it after intense debugging and finding that the health endpoint depended on node:read.

Finally, I had to add an intent for web -> allow -> socat, which is fine.

Is this documented anywhere at all? It was an extremely head-scratching experience to get it to work, especially the “node_prefix” requirement.

Hi @nhw76,

The ACL policy requirements are mentioned in a few guides across the Learn site: Manage ACL Policies: Operator-only implementation example and Secure Consul with ACLs: Tokens for Connect.

The ACL docs on also reference these policies in the documentation on Service Identities. Service Identities are ACL policy templates which can be used for quickly creating tokens for Connect services using the aforementioned policy.

consul acl token create -description="Web service token" -service-identity="web"

Hope this helps. Let me know if you have any other questions.