I've recently activated ACLs in Consul and everything seems to be accessible except for the metrics end point (m/v1/agent/metrics)
I've tried all kind of combinations of rules in the policy I'm using to generate the token used in the curl request (see below) but none works except for the bootstrap token. However, I don't think is right to use that token for metrics as it has too much permissions.
curl -H 'X-Consul-Token: <redacted>' https://consul-url.com/v1/agent/metrics
Does anyone know which rules to use in the ACL policy so I can access metrics?
Just before pulling my last hair out I found a working solution. I couldn't find any explicit reference to it but I've tested it and it works, so I hope it helps someone. See below the rules to set in the policy used to create a token to get metrics:
acl = "read"
keyring = "read"
operator = "read"
query_prefix "" {
policy = "read"
}
service_prefix "" {
policy = "read"
}
session_prefix "" {
policy = "read"
}
agent_prefix "" {
policy = "read"
}
event_prefix "" {
policy = "read"
}
key_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}