In the Consul ACL Internals documentation, sample configuration is provided to set some default ACL rules in both HashiCorp Configuration Language and JSON. It looks like this:
{
"key": {
"": {
"policy": "read"
},
"foo/": {
"policy": "write"
},
"foo/private": {
"policy": "deny"
}
},
"service": {
"": {
"policy": "write"
},
"secure-": {
"policy": "read"
}
},
"event": {
"": {
"policy": "write"
},
"destroy-": {
"policy": "deny"
}
},
"query": {
"": {
"policy": "read"
}
},
"keyring": "read",
"operator": "read"
}
The documentation only explains how to set up the default role.
Using the HTTP API, you can create role tokens with rules by passing JSON similar to this to the create endpoint:
{
"Name": "my-app-token",
"Type": "client",
"Rules": ""
}
But I want to be able to set this up in my static configuration files to have multiple roles with their associated policies.
How can I do this? Do I just add Name, Type, Roles and a UUID? If so, where/how do I do so?
I have figured out through the Consul Google Groups page that, according to a user, ACLs cannot currently be defined as static config files and must be configured via the HTTP API:
Currently the ACLs cannot be directly inserted into a configuration file that Consul will read. The API is the primary way of interaction with ACLs.
(As of 10 October 2015)
https://groups.google.com/d/msg/consul-tool/fGuFTq0fvcU/f6-mwh4aCQAJ