Skip to content

Commit

Permalink
Merge 95f495c into backport/docs/NET-1825/acl-token-docs-2/remotely-c…
Browse files Browse the repository at this point in the history
…omposed-bluebird
  • Loading branch information
hc-github-team-consul-core authored Jul 24, 2023
2 parents ee692d8 + 95f495c commit fcecc5c
Show file tree
Hide file tree
Showing 5 changed files with 9 additions and 13 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ This topic describes how to create a token for the Consul External Service Monit

## Introduction

Consul External Service Monitor (ESM) can monitor third party or external services in contexts where it is not possible to run a Consul agent. To learn more about Consul ESM, refer to the [Register External Services with Consul Service Discovery](/consul/tutorials/developer-discovery/service-registration-external-services) tutorial.
Consul external service monitor (ESM) can monitor third-party or external services in contexts where you are unable to run a Consul agent. To learn more about Consul ESM, refer to the [Register External Services with Consul Service Discovery](/consul/tutorials/developer-discovery/service-registration-external-services) tutorial.


## Requirements
Expand All @@ -28,7 +28,7 @@ Consul ESM must present a token linked to policies that grant the following perm
* `session:write`: Enables Consul ESM is registered to acquire a leader lock
* `acl:read`: (Enterprise-only) Enables Consul ESM to scan namespaces for nodes and health checks to monitor

-> Note: Consul ESM does not currently support non-default partitions.
Consul ESM only supports `default` admin partitions.

@include 'create-token-requirements.mdx'

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ description: >-

# Create a DNS token

This topic describes how to create a token that you can use to enable using Consul DNS.
This topic describes how to create a token that enables the Consul DNS to query services in the network when ACLs are enabled.

## Introduction

A Consul agent must be configured with a token linked to policies that grant the appropriate set of permissions. To enable catalog lookups over DNS, the token must be linked to policies that grant the following permissions:
A Consul agent must be configured with a token linked to policies that grant the appropriate set of permissions.

Specify the [`default`](/consul/docs/agent/config/config-files#acl_tokens_default) token to the Consul agent to authorize the agent to respond to DNS queries. Refer to [DNS usage overview](/consul/docs/services/discovery/dns-overview) for details on configuring and using Consul DNS.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,14 +7,13 @@ description: >-

# Create a replication token

This topic describes how to configure an ACL token for ACL replication between WAN-federated datacenters.
This topic describes how to configure an ACL token for ACL replication between WAN-federated datacenters. If your Consul clusters are connected through peer connections, ACL replication is not required. To learn more about cluster peering, refer to the [comparison between WAN federation and cluster peering](/consul/docs/connect/cluster-peering#compared-with-wan-federation).

## Introduction

Consul agents must present a token linked to policies that grant the appropriate set of permissions.
Specify the [`replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) token on each server in a non-primary datacenter. To learn about configuring ACL replication, refer to the ACL Replication for Multiple Datacenters tutorial.
Specify the [`replication`](/consul/docs/agent/config/config-files#acl_tokens_replication) token on each server in a non-primary datacenter. For hands-on instructions on how to configure ACL replication across datacenters, refer to the [ACL Replication for Multiple Datacenters](/consul/tutorials/security-operations/access-control-replication-multiple-datacenters) tutorial.

-> Note: ACL replication is only supported for WAN-federated datacenters. When using cluster peering to connect Consul datacenters, ACL replication is not required. To learn more about cluster peering, refer to Differences between WAN federation and cluster peering.

## Requirements

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -11,10 +11,6 @@ This topic describes how to create a token for the Consul snapshot agent.

<EnterpriseAlert />

~> The [`agent`](/consul/commands/snapshot/agent) subcommand described here is
available only in [Consul Enterprise](https://www.hashicorp.com/products/consul/)
version 0.7.1 and later. All other [snapshot subcommands](/consul/commands/snapshot)
are available in the open source version of Consul.

## Introduction

Expand All @@ -24,7 +20,10 @@ servers and either saves them locally or pushes them to a remote storage service
## Requirements

Core ACL functionality is available in all versions of Consul.
### `agent` command requirements

The [`agent`](/consul/commands/snapshot/agent) subcommand requires [Consul Enterprise](https://www.hashicorp.com/products/consul/). All other [snapshot subcommands](/consul/commands/snapshot)
are available in the open source version of Consul.
The Consul snapshot agent must present a token linked to policies that grant the following set of permissions.

* `acl:write`: Enables the agent read and snapshot ACL data
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,10 +31,8 @@ To create a token for Vault’s Consul storage backend, you must define a policy

### Define a policy


You can send policy definitions as command line or API arguments or define them in an external HCL or JSON file. Refer to [ACL Rules](/consul/docs/security/acl/acl-rules) for details about all of the rules you can use in your policies.


The following example policy is defined in a file. The policy grants the appropriate permissions to enable Vault to register as a service named `vault` and provides access to the `vault/` path in Consul's KV store.

<CodeTabs>
Expand Down

0 comments on commit fcecc5c

Please sign in to comment.