HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Cluster access permissions

This page explains concepts associated with the read/write permissions granted to Consul by the global-management-token when linking a self-managed cluster to HCP Consul. The page also summarizes the differences between using self-managed clusters linked to HCP Consul with read/write or read-only access, and provides details about Consul ACL policies that provide these access permissions.

Background

When you link a self-managed Consul cluster with HCP Consul, your cluster uses an ACL token to grant access to HCP Consul Central, HashiCorp's hosted management plane service. The management plane stores this token in a dedicated Vault environment for your organization and uses it to access your self-managed cluster when providing observability and lifecycle management operations through dashboards in the HCP portal.

During the cluster linking process, HCP Consul prompts you to choose between granting HCP Consul read/write or read-only access to your cluster. Your decision determines the ACL policy attached to the token that HCP Consul Central uses to access your self-managed cluster. You can change a cluster's read-only permissions to read/write using HCP Consul. However, to convert a read/write cluster to read-only, you must unlink the cluster from HCP Consul and then re-link it. For details on this process, refer to Manage HCP's cluster access permissions.

For more information about HCP Consul Central and the benefits it provides, refer to HCP Consul Central. For more information about how the linking process works, refer to Link self-managed clusters with HCP Consul overview.

Permission comparison

The following table describes the differences in HCP Consul Central features that are available for self-managed clusters when linked with read/write permissions and read-only permissions.

Permission levelConsul Central UI ViewConsul Central UI OperationsObservability dashboardsCluster peering workflowVersion upgradesEditable permissions while linked
Read/write
Read-only

ACL policy comparison

Clusters with read/write access permissions use a token with the global-management policy attached it. This policy, which is also attached to the ACL bootstrap token, contains write permissions for your entire cluster.

Clusters with read-only access permissions use a token with the builtin/global-read-only policy attached it. This policy contains the following ACL rules:

mesh = "read"
peering = "read"
operator = "read"

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

For more information about the ACL system and the access it provides, refer to Access Control List (ACL) Overview in the Consul documentation.