Asteris

Consul ACLs – an Introduction

// Steven Borrelli // Consul

HashiCorp’s Consul is a popular service discovery and key/value storage tool that has become a core component of many distributed applications.

However, if Consul is not secured an intruder could register their own service and capture traffic. For example, if you have an auth service, the intruder could register another service with the same DNS entry auth.service.consul and collect login information.

Consul does not implement access controls on the key-value data or service discovery endpoints by default. This means anyone (including intruders) are able to connect to a Consul host, register services, and modify data.

But don’t despair! Consul has an Access Control List (ACL) system that can be used to control who can read and write data. This means we can keep intruders from registering services without authenticating to the Consul server.

Read More…