I want to use Consul for Service Discovery and as Distributed Configuration for my microservices. Without any security my system is working fine but I don't want every user to be able to change values in the key-value store. So I tried to introduce security with Consul's ACL but now my services aren't able to register themselves anymore.
I set the default policy in my HCL configuration to "deny" and tried to set a write policy for every service so they can register themselves at Consul and a read policy for the key-value-store, so the values can only be read via the UI. But my services receives a 403 during registration process.
agent.hcl
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "read"
}
consul-policy.hcl
service_prefix "" {
policy = "write"
}
key_prefix "" {
policy = "read"
}
I started the server with:
consul agent -config-file agent.hcl -dev
And added the policy (after getting and setting an ACL token):
consul acl policy create -name consul-server-one -rules @consul-policy.hcl
What I did miss was the fact that you need to generate tokens for a policy.
consul acl token create -description "Token description" -policy-name "consul-server-one" -token "(your global token)"
And I wanted the usage of a default token which can be set via:
consul acl set-agent-token -token "(your global token)" default (your generated token)