Consul ACL - Policies

sphtd · March 18, 2024, 8:19am

I mainly care about these assumptions:

Everyone has access to the GUI without a token
CLI/API is only available with a token.

Question: Is this setting possible?

Ranjandas · March 18, 2024, 10:38am

Hi @sphtd,

There are two possible options that I can think of to achieve this:

Option 1:

Update the anonymous token policy to have all the read permissions required to access the UI. This would allow anyone to access the UI (to the extent that the policy allows)
The API and CLI would be accessible to anyone to what the anonymous token allows, and anything else would require a token.

Option 2:

This option is a bit stricter and closer to what you are looking for than option 1.

Have dedicated servers for Hosting the Consul UI.
Create a token with the policy that allows enough permission for the UI.
On the Consul UI server, set the acl.tokens.default to the above token. This would allow anyone accessing the UI (through this server) to have permissions of the default token.
Set up a reverse proxy that exposes the Consul UI (allowing only the /ui endpoint). This would enable access to the UI, but the API ( /v1/ endpoint) should be blocked.
Any CLI/API interaction should be with any of the other agents in the cluster, which would require a token (no anonymous access).

ref:

sphtd · March 18, 2024, 11:59am

Hey,
thanks for reply.

ad1.

data "consul_acl_token" "anonymous_token" {
  accessor_id = "00000000-0000-0000-0000-000000000002"
}

resource "consul_acl_policy" "anonymous_policy" {
  name        = "anonymous_access_policy"
  description = "Allow anonymous access to Consul UI, deny access to Consul API and CLI"
  rules = jsonencode({
    key = {
      "" = {
        policy = "read"
      }
    },
    service_prefix = {
      "" = {
        policy = "read"
      }
    },
    key_prefix = {
      "" = {
        policy = "read"
      }
    },
    node_prefix = {
      "" = {
        policy = "read"
      }
    }
  })
}

resource "consul_acl_token_policy_attachment" "attachment" {
    token_id = "00000000-0000-0000-0000-000000000002"
    policy   = "${consul_acl_policy.anonymous_policy.name}"
}

Unfortunately, I still don’t know how to simultaneously block operations via API (curl) and CLI and have access to the GUI at the same time.

Topic		Replies	Views
How to block consul UI on all machine except the host machine Consul	2	245	March 12, 2024
Is possible to set a ACL token just for view the web UI? Consul	1	357	March 23, 2022
Deny Anonymous Read - Consul Consul acl , consul	7	1683	December 13, 2021
Consul UI ACL policy edit issue Consul	5	604	October 28, 2021
How to restrict access to /v1/catalog/register for anonymous requests? Consul	1	398	June 7, 2020

Consul ACL - Policies

Related Topics