Really struggling with ACLs

glitchcrab · September 7, 2021, 8:57pm

I’m looking to create node/service entries in the catalog with Terraform and I’ve read the API docs which say that you need node:write,service:write permissions to achieve this. So for testing purposes I created a policy with the following rules:

node "" {
  policy = "write"
}
service "" {
  policy = "write"
}

however Terraform gets a 403 when I try to use the generated token: Unexpected response code: 403 (rpc error making call: Permission denied)

I swapped out the token for the root token and that works fine, so it’s definitely an ACL issue. I did some reading through the consul_node source code and it definitely only calls /v1/catalog/register, so according to this API section, my permissions should be sufficient.

What am I missing here?

mkeeler · September 7, 2021, 9:02pm

Assuming that this is Consul > v1.4.0 then the issue is that your policy is using exact matching rules instead of the prefix matching form. The policy I think you are going for would look like the following:

node_prefix "" {
   policy = "write"
}

service_prefix "" {
   policy = "write"
}

This will allow registering nodes and services with any names.

glitchcrab · September 7, 2021, 9:06pm

oh wow that’s way easier than i thought - i hadn’t really looked at the prefix resources. will give that a try - thanks!

glitchcrab · September 7, 2021, 9:09pm

yup that did it - thanks @mkeeler

seems i need to do some more reading!

mkeeler · September 7, 2021, 9:23pm

Glad I could help. In the course of your reading if you are finding issues with how the information is presented or think something could be clearer feel free to add issues to the GitHub repo.

Consul’s ACL documentation could certainly be improved and feedback about where confusion is occurring would be helpful in determining the ways to improve it.