Create a service token

This topic describes how to create a token that you can use to register a service and discover services in the Consul catalog. If you are using Consul service mesh, a sidecar proxy can use the token to discover and route traffic to other services.

Introduction

Services must present a token linked to policies that grant the appropriate set of permissions in order to be discoverable or to interact with other services in a mesh.

Service identities versus custom policies

You can create tokens linked to custom policies or to service identities. Service identities are constructs in Consul that enable you to quickly grant permissions for a group of services, rather than creating similar policies for each service.

We recommend using a service identity to grant permissions for service discovery and service mesh use cases rather than creating a custom policy. This is because service identities automatically grant the service and its sidecar proxy service:write, service:read, and node:read.

Your organization may have requirements or processes for deploying services in a way that is inconsistent with service and node identities. In these cases, you can create custom policies and link them to tokens.

Requirements

Core ACL functionality is available in all versions of Consul.

The service token must be linked to policies that grant the following permissions:

• service:write: Enables the service to update the catalog. If service mesh is enabled, the service's sidecar proxy can also update the catalog. Note that this permission implicitly grants intention:read permission to sidecar proxies so that they can read and enforce intentions. Refer to Intention Management Permissions for details.
• service:read: Enables the service to learn about other services in the network. If service mesh is enabled, the service's sidecar proxy can also learn about other services in the network.
• node:read: Enables the sidecar proxy to discover and route traffic to other services in the catalog if service mesh is enabled.

Authentication

You must provide an ACL token linked to a policy with acl:write permissions to create and modify ACL tokens and policies using the CLI or API.

You can provide the token manually using the -token option on the command line, but we recommend setting the CONSUL_HTTP_TOKEN environment variable to simplify your workflow:

$ export CONSUL_HTTP_TOKEN=<acl-token-secret-id>

The Consul CLI automatically reads the CONSUL_HTTP_TOKEN environment variable so that you do not have to pass the token to every Consul CLI command.

To authenticate calls to the Consul HTTP API, you must provide the token in the X-Consul-Token header for each call:

$ curl --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" ...

To learn about alternative ways to authenticate, refer to the following documentation:

• CLI Authentication
• API Authentication

Service identity in Consul CE

Refer to Service identities for information about creating service identities that you can link to tokens.

You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an auth method.

$ consul acl token create \
  -description "Service token for svc1" \
  -service-identity "svc1"

$ curl --request PUT http://127.0.0.1:8500/v1/acl/token \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data '{
  "ServiceIdentities": [
    {
      "ServiceName": "svc1"
    }
  ]
}'

Service identity in Consul Enterprise EnterpriseEnterprise

Refer to Service identities for information about creating service identities that you can link to tokens.

You can manually create tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an auth method.

$ consul acl token create -partition "ptn1" -namespace "ns1" \
  -description "Service token for svc1" \
  -service-identity "svc1"

$ curl --request PUT http://127.0.0.1:8500/v1/acl/token \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data '{
  "ServiceIdentities": [
    {
      "ServiceName": "svc1"
    }
  ],
  "Namespace": "ns1",
  "Partition": "ptn1"
}'

Custom policy in Consul CE

When you are unable to link tokens to a service identity, you can define policies, register them with Consul, and link the policies to tokens that enable services to register into the Consul catalog.

Define a policy

You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to ACL Rules for details about all of the rules you can use in your policies.

The following example policy is defined in a file. The policy grants the svc1 service write permissions so that it can register into the catalog. For service mesh, the policy grants the svc1-sidecar-proxy service write permissions so that the sidecar proxy can register into the catalog. It grants service and node read permissions to discover and route to other services.

service "svc1" {
  policy = "write"
}
service "svc1-sidecar-proxy" {
  policy = "write"
}
service_prefix "" {
  policy = "read"
}
node_prefix "" {
  policy = "read"
}

{
  "node_prefix": {
    "": [{
      "policy": "read"
    }]
  },
  "service": {
    "svc1": [{
      "policy": "write"
    }],
    "svc1-sidecar-proxy": [{
      "policy": "write"
    }]
  },
  "service_prefix": {
    "": [{
      "policy": "read"
    }]
  }
}

Register the policy with Consul

After defining the policies, you can register them with Consul using the command line or API endpoint.

$ consul acl policy create \
    -name "svc1-register" -rules @svc1-register.hcl \
    -description "Allow svc1 to register into the catalog"

$ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data '{
  "Name": "svc1-register",
  "Description": "Allow svc1 to register into the catalog",
  "Rules": "service \"svc1\" {\n  policy = \"write\"\n}\nservice \"svc1-sidecar-proxy\" {\n  policy = \"write\"\n}\nservice_prefix \"\" {\n  policy = \"read\"\n}\nnode_prefix \"\" {\n  policy = \"read\"\n}\n"
}'

Link the policy to a token

After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an auth method.

$ consul acl token create \
  -description "Service token for svc1" \
  -policy-name "svc1-register"

$ curl --request PUT http://127.0.0.1:8500/v1/acl/token \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data '{
  "Policies": [
    {
      "Name": "svc1-register"
    }
  ]
}'

Custom policy in Consul Enterprise EnterpriseEnterprise

When you are unable to link tokens to a service identity, you can define policies, register them with Consul, and link the policies to tokens that enable services to register into the Consul catalog.

Define a policy

You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to ACL Rules for details about all of the rules you can use in your policies.

You can specify an admin partition and namespace when creating policies in Consul Enterprise. The policy is only valid in the specified scopes.

The following example policy is defined in a file. The policy allows the svc1 service to register in the ns1 namespace of partition ptn1. For service mesh, the policy grants the svc1-sidecar-proxy service write permissions so that the sidecar proxy can register into the catalog. It grants service and node read permissions to discover and route to other services.

partition "ptn1" {
  namespace "ns1" {
    service "svc1" {
      policy = "write"
    }
    service "svc1-sidecar-proxy" {
      policy = "write"
    }
    service_prefix "" {
      policy = "read"
    }
    node_prefix "" {
      policy = "read"
    }
  }
}

{
  "partition": {
    "ptn1": [{
      "namespace": {
        "ns1": [{
          "node_prefix": {
            "": [{
              "policy": "read"
            }]
          },
          "service": {
            "svc1": [{
              "policy": "write"
            }],
            "svc1-sidecar-proxy": [{
              "policy": "write"
            }]
          },
          "service_prefix": {
            "": [{
              "policy": "read"
            }]
          }
        }]
      }
    }]
  }
}

Register the policy with Consul

After defining the policies, you can register them with Consul using the command line or API endpoint.

$ consul acl policy create -partition "ptn1" -namespace "ns1" \
  -name "svc1-register" -rules @svc1-register.hcl \
  -description "Custom policy for service svc1"

$ curl --request PUT http://127.0.0.1:8500/v1/acl/policy \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data '{
  "Name": "svc1-register",
  "Description": "Allow svc1 to register into the catalog",
  "Namespace": "ns1",
  "Partition": "ptn1",
  "Rules": "partition \"ptn1\" {\n  namespace \"ns1\" {\n    service \"svc1\" {\n      policy = \"write\"\n    }\n    service \"svc1-sidecar-proxy\" {\n      policy = \"write\"\n    }\n    service_prefix \"\" {\n      policy = \"read\"\n    }\n    node_prefix \"\" {\n      policy = \"read\"\n    }\n  }\n}\n"
}'

Link the policy to a token

After registering the policies into Consul, you can create and link tokens using the Consul command line or API endpoint. You can also enable Consul to dynamically create tokens from trusted external systems using an auth method.

$ consul acl token create -partition "ptn1" -namespace "ns1" \
  -description "Service token for svc1" \
  -policy-name "svc1-register"

$ curl --request PUT http://127.0.0.1:8500/v1/acl/token \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data '{
  "Policies": [
    {
      "Name": "svc1-register"
    }
  ],
  "Namespace": "ns1",
  "Partition": "ptn1"
}'