I understand that I have no corresponding policy and token in place. But I’m struggling with how to generate consul policy to permit metrics url access from prometheus, which rules should it contain.
Our API documentation contains a table under each of the API paths which calls out the necessary permissions. In the case of /v1/agent/metrics, the required permission is agent:read.
Here’s an example policy which grants this permission for the node named consul-client-1.
agent "consul-client-1" {
policy = "read"
}
Alternatively you can utilize agent_prefix to grant access to a set of nodes who’s hostnames begin with the “consul-client-” prefix.
What I still don’t understand is how to make this policy more restrictive, I don’t want token bound to this policy was applied anywhere else effectively getting read access to metrics.
Hence the question how consul identifies segment part of the policy for such entities as prometheus for example or just curl request from cli?
The token used by Prometheus needs agent:read permission on each agent it is targeting so that you can scrape the metrics. If the hostnames for your targets are consul-server-1 thru consul-server-3 the policy should be: