Add a dedicated read-only token for HCP Consul
This page describes how to create a dedicated read-only token in a self-managed Consul cluster when linking it to HCP Consul. This token enables HCP Consul Central to provide secure access to your Consul deployment without giving HCP access to a token with the cluster's global-management
policy attached.
Requirements
Linking a self-manged cluster in read-only mode is supported in Consul v1.14.9, v1.15.5, and v1.16.1 or later. If necessary, upgrade your existing cluster before attempting to link it to HCP.
Your cluster must have ACLs enabled and the ACL system must be bootstrapped in order to link it to HCP Consul in read-only mode. To enable Consul's ACL system:
- On VMs, set
acl.enabled=true
in the agent's configuration file. - On Kubernetes, set
global.acls.manageSystemACLs: true
in the Consul Helm chart.
ACL bootstrap token requirements
The consul-k8s
CLI automatically bootstraps ACLs on your behalf when you update global.acls.manageSystemACLs
in your values.yaml
configuration and apply the change to your cluster. To retrieve the bootstrap token from your the Consul namespace of your Kubernetes Secrets, run the following command:
When linking clusters to HCP Consul, the ACL bootstrap token is the minimum requirement in order to authorize the API, CLI, and UI interactions detailed on this page. For production-ready environments, we recommend completing the entire process detailed in the Bootstrap and explore Consul's access control system tutorial to fully secure your cluster. This tutorial begins with steps for manually bootstrapping the ACL system by creating the initial management token, and includes instructions for creating UI access tokens.
For a list of software versions required to link a self-managed cluster, refer to Link existing self-managed clusters prerequisites.
Create a read-only ACL token for HCP Consul
To link a self-managed cluster in read-only mode, you must create a read-only ACL token in your Consul cluster and then add the token's SecretID
to HCP Consul. You can create a new ACL token and attach Consul's builtin/global-read-only
ACL policy using the CLI, HTTP API, or Consul UI. A token with acl:write
permissions is required to create a new ACL token.
Refer to view catalog in Consul Enterprise for additional guidance on creating policies and attaching them to tokens. For step-by-step guidance on creating tokens for different uses, refer to the Secure Consul with access control lists (ACLs) tutorial in the Consul documentation.
Issue the following cURL request to create a new ACL token and attach the builtin/global-read-only
policy.
The API responds with a JSON payload that contains the token's SecretID
.
For more information, including a request body schema, sample payload, and sample response, refer to /agent/acl
endpoint in the Consul documentation.
After you copy the SecretID
of your dedicated read-only token, you can complete the process to link a self-managed cluster to HCP Consul Central in read-only mode. Refer to Link existing self-managed clusters for more information about the linking process.