Consul ACLs – an Introduction
HashiCorp’s Consul is a popular service discovery and key/value storage tool that has become a core component of many distributed applications.
However, if Consul is not secured an intruder could register their own service and
capture traffic. For example, if you have an
auth service, the intruder could register another
service with the same DNS entry
auth.service.consul and collect login information.
Consul does not implement access controls on the key-value data or service discovery endpoints by default. This means anyone (including intruders) are able to connect to a Consul host, register services, and modify data.
But don’t despair! Consul has an Access Control List (ACL) system that can be used to control who can read and write data. This means we can keep intruders from registering services without authenticating to the Consul server.Read More…