Command line interface to the Consul ACL HTTP API. Documentation for the Consul ACL system is at the Consul ACL internals page.
You can download a released consulacl
artifact from the consulacl release page on Github. If you wish to compile from source, you will need to have buildtools and Go installed:
$ git clone https://github.com/CiscoCloud/consulacl.git
$ cd consulacl
$ make
usage: consulacl [--version] [--help] <command> [<args>]
Available commands are:
clone Create a new token from an existing one
create Create an ACL
destroy Destroy an ACL
info Query an ACL token
list List a value
update Update an ACL
Option | Default | Description |
---|---|---|
--consul |
127.0.0.1:8500 |
HTTP address of the Consul Agent |
--ssl |
false |
Use HTTPS while talking to Consul |
--ssl-verify |
true |
Verify certificates when connecting via SSL. Requires --ssl |
--ssl-cert |
unset |
Path to an SSL client certificate to use to authenticate to the consul server |
--ssl-ca-cert |
unset |
Path to a CA certificate file, containing one or more CA certificates to use to validate the certificate sent by the consul server to us. |
--token * |
unset |
The Consul API token. |
* A management token is required for all ACL operations
consulacl clone [options] id
Create a new token from an existing one
$ consulacl clone --sll --token=b78191f9-01fb-24d0-4278-be05ee82c6c4 19933651-439e-5123-5a2f-6bdf2afa0d70
a06db641-070d-eae0-1ff8-8e8c67399fa4
Usage: consulacl create [options]
Create an ACL. Requires a management token.
Options:
--management Create a management token
(default: false)
--name Name of the ACL
(default: not set)
--rule='type:path:policy' Rule to create. Can be multiple rules on a command line
(default: not set)
Option | Default | Description |
---|---|---|
management |
false |
Create the token as a management ACL |
name |
not set |
Name of the ACL |
rule |
not set |
Rule to create |
Multiple rules can be specified on the command line. The format for the rule
is [key|service]:path:[read:write:deny]
. The list of rules is converted to a JSON object:
{
"key": {
"<path_1>": {
"policy": "<policy_1>"
}, ...
},
"service": {
"<path_2>": {
"policy": "<policy_2>"
}, ...
}
}
An empty path
attribute generates:
{
"key": {
"": {
"policy": "<policy_1>"
}
}
}
The token id of the newly created ACL is printed on stdout on success.
$ consulacl create --ssl --token=b78191f9-01fb-24d0-4278-be05ee82c6c4 \
--rule='key:test/node:read' \
--rule='service:hello-world:write'
25c25096-e680-2faa-d864-b9314308387a
consulacl destroy [options] id
Destroy an ACL
$ consulacl destroy --ssl --token=b78191f9-01fb-24d0-4278-be05ee82c6c4 \
25c25096-e680-2faa-d864-b9314308387a
consulacl info [options] id
Query information about an ACL token
$ consulacl info --ssl --ssl-verify=false --token=b78191f9-01fb-24d0-4278-be05ee82c6c4 \
25c25096-e680-2faa-d864-b9314308387a
{
"CreateIndex": 4100,
"ModifyIndex": 4100,
"ID": "25c25096-e680-2faa-d864-b9314308387a",
"Name": "",
"Type": "client",
"Rules": "{\"key\":{\"test/node\":{\"Policy\":\"read\"}},\"service\":{\"hello-world\":{\"Policy\":\"write\"}}}"
}
### list command
#### Usage
```shell
consulacl list [options]
List all active ACL tokens.
$ consulacl list --ssl --token=b78191f9-01fb-24d0-4278-be05ee82c6c4
{
{
"CreateIndex": 3,
"ModifyIndex": 3,
"ID": "anonymous",
"Name": "Anonymous Token",
"Type": "client",
"Rules": ""
},
{
"CreateIndex": 4100,
"ModifyIndex": 4100,
"ID": "25c25096-e680-2faa-d864-b9314308387a",
"Name": "",
"Type": "client",
"Rules": "{\"key\":{\"test/node\":{\"Policy\":\"read\"}},\"service\":{\"hello-world\":{\"Policy\":\"write\"}}}"
}
}
The update command updates an ACL if it exists and creates a new one if it does not. All of the ACL settings are overwritten on update.
Usage: consulacl update [options] id
Update an ACL. Will be created if it doesn't exist.
Options:
--management Create a management token
(default: false)
--name Name of the ACL
(default: not set)
--rule='type:path:policy' Rule to create. Can be multiple rules on a command line
(default: not set)
Option | Default | Description |
---|---|---|
management |
false |
Create the token as a management ACL |
name |
not set |
Name of the ACL |
rule |
not set |
Rule to create |
Multiple rules can be specified on the command line. The format for the rule
is [key|service]:path:[read:write:deny]
. The list of rules is converted to a JSON object:
{
"key": {
"<path_1>": {
"policy": "<policy_1>"
}, ...
},
"service": {
"<path_2>": {
"policy": "<policy_2>"
}, ...
}
}
An empty path
attribute generates:
{
"key": {
"": {
"policy": "<policy_1>"
}
}
}
The token id of the newly created ACL is printed on stdout on success.
$ consulacl update --ssl --token=b78191f9-01fb-24d0-4278-be05ee82c6c4 \
--rule='key:test/node:read' \
--rule=`key:test/node1:write' \
--rule='service:hello-world:write' \
25c25096-e680-2faa-d864-b9314308387a