Read policy to key allows write access

lethargosapatheia · May 10, 2022, 3:28pm

Hello,

I have the following policy:

ID:           d46a887a-8244-8483-59f7-d34ac9961d78
Name:         node-xp
Description:
Datacenters:
Rules:
node_prefix "consul-client" {
	policy  = "read"
}

node_prefix "" {
	policy = "read"
}

key "consul-client-1/authorized_keys" {
	policy = "read"
}

The token associated with this policy is used by consul-template to update the ssh authorized keys file.
So my question is simple: I don’t understand why consul-template can change this key when the policy is set to ‘read’. If I comment that stanza altogether or set it to ‘deny’, I immediately get the natural response:

May 10 15:14:45 consul-client-1 consul-template[24366]: 2022-05-10T15:14:45.008Z [WARN] (view) kv.block(consul-client-1/authorized_keys): Unexpected response code: 403 (retry attempt 8 after "32s")

What am I missing here?

lethargosapatheia · May 11, 2022, 8:42am

Actually I’ve mixed things up. consul-template isn’t writing anything to the kv store, it’s only reading the keys there and it’s writing the content into the authorized_keys file.

So this behaviour is perfectly logical, actually. Sorry for the confusion

Topic		Replies	Views
Consul acl policy not working as expected Consul acl	6	3033	August 6, 2019
Consul UI ACL policy edit issue Consul	5	604	October 28, 2021
Consul Agent access to KV denied by ACL Consul acl	8	7802	August 11, 2020
Is possible to set a ACL token just for view the web UI? Consul	1	357	March 23, 2022
Permission denied: token with AccessorID lacks permission 'key:read' Consul	1	969	August 21, 2022

Read policy to key allows write access

Related topics