» Consul ACL Policy Create
Command: consul acl policy create
The acl policy create
command creates new policies. The policies rules can either be set explicitly or the
-from-token
parameter may be used to load the rules from a legacy ACL token. When loading
the rules from an existing legacy ACL token, the rules get translated from the legacy syntax
to the new syntax.
Both the -rules
and -from-token
parameter values allow loading the value
from stdin, a file or the raw value. To use stdin pass -
as the value.
To load the value from a file prefix the value with an @
. Any other
values will be used directly.
Deprecated: The -from-token
and -token-secret
arguments exist only as a convenience
to make legacy ACL migration easier. These will be removed in a future major release when
support for the legacy ACL system is removed.
» Usage
Usage: consul acl policy create [options] [args]
» API Options
-
-ca-file=<value>
- Path to a CA file to use for TLS when communicating with Consul. This can also be specified via theCONSUL_CACERT
environment variable. -
-ca-path=<value>
- Path to a directory of CA certificates to use for TLS when communicating with Consul. This can also be specified via theCONSUL_CAPATH
environment variable. -
-client-cert=<value>
- Path to a client cert file to use for TLS whenverify_incoming
is enabled. This can also be specified via theCONSUL_CLIENT_CERT
environment variable. -
-client-key=<value>
- Path to a client key file to use for TLS whenverify_incoming
is enabled. This can also be specified via theCONSUL_CLIENT_KEY
environment variable. -
-http-addr=<addr>
- Address of the Consul agent with the port. This can be an IP address or DNS address, but it must include the port. This can also be specified via theCONSUL_HTTP_ADDR
environment variable. In Consul 0.8 and later, the default value is http://127.0.0.1:8500, and https can optionally be used instead. The scheme can also be set to HTTPS by setting the environment variableCONSUL_HTTP_SSL=true
. This may be a unix domain socket usingunix:///path/to/socket
if the agent is configured to listen that way. -
-tls-server-name=<value>
- The server name to use as the SNI host when connecting via TLS. This can also be specified via theCONSUL_TLS_SERVER_NAME
environment variable. -
-token=<value>
- ACL token to use in the request. This can also be specified via theCONSUL_HTTP_TOKEN
environment variable. If unspecified, the query will default to the token of the Consul agent at the HTTP address. -
-token-file=<value>
- File containing the ACL token to use in the request instead of one specified via the-token
argument orCONSUL_HTTP_TOKEN
environment variable. This can also be specified via theCONSUL_HTTP_TOKEN_FILE
environment variable.
-
-datacenter=<name>
- Name of the datacenter to query. If unspecified, the query will default to the datacenter of the Consul agent at the HTTP address. -
-stale
- Permit any Consul server (non-leader) to respond to this request. This allows for lower latency and higher throughput, but can result in stale data. This option has no effect on non-read operations. The default value is false.
» Command Options
-
-description=<string>
- A description of the policy. -
-from-token=<string>
- The legacy token to retrieve the rules for when creating this policy. When this is specified no other rules should be given. Similar to the -rules option the token to use can be loaded from stdin or from a file. -
-meta
- Indicates that policy metadata such as the content hash and raft indices should be shown for each entry. -
-name=<string>
- The new policy's name. This flag is required. -
-rules=<string>
- The policy rules. May be prefixed with '@' to indicate that the value is a file path to load the rules from. '-' may also be given to indicate that the rules are available on stdin. -
-token-secret
- Indicates the token provided with -from-token is a SecretID and not an AccessorID. -
-valid-datacenter=<value>
- Datacenter that the policy should be valid within. This flag may be specified multiple times.
» Examples
Create a new policy that is valid in all datacenters:
$ consul acl policy create -name "acl-replication" -description "Policy capable of replicating ACL policies" -rules 'acl = "read"'
ID: 35b8ecb0-707c-ee18-2002-81b238b54b38
Name: acl-replication
Description: Policy capable of replicating ACL policies
Datacenters:
Rules:
acl = "read"
Create a new policy valid only in specific datacenters with rules read from a file:
$ consul acl policy create -name "replication" -description "Replication" -rules @rules.hcl -valid-datacenter dc1 -valid-datacenter dc2
ID: ca44555b-a2d8-94de-d763-88caffdaf11f
Name: replication
Description: Replication
Datacenters: dc1, dc2
Rules:
acl = "read"
service_prefix "" {
policy = "read"
intentions = "read"
}
Create a new policy with rules equivalent to that of a legacy ACL token:
$ consul acl policy create -name "node-services-read" -from-token 5793a5ce -description "Can read any node and service"
ID: 06acc965-df4b-5a99-58cb-3250930c6324
Name: node-services-read
Description: Can read any node and service
Datacenters:
Rules:
service_prefix "" {
policy = "read"
}
node_prefix "" {
policy = "read"
}