/ website / blog

minimal consul acl connect setup

October 20, 2022

Often I need a simple Consul agent with ACLs and Connect enabled for a simple reproduction or demonstration. Although there is a “dev mode” Consul really does not make things easy for getting setup beyond a trivial, insecure agent.

This post is a step-by-step guide on how I start from nothing and end up with a single-node Consul cluster usable with ACLs and Connect enabled. This guide is not about creating a production - ready Consul cluster, for that take a look at the official Consul ACL Guide.

Initial Consul Agent Config

Create the initial Consul agent configuration file consul.hcl. We can turn ACLs on immediately, but there will be warnings in log output until we bootstrap the ACL system, which will happen next.

Note the grpc port and connect configuration - these are required if using Consul Connect features.

server           = true
data_dir         = "/tmp/consul"
log_level        = "info"
bind_addr        = ""
bootstrap_expect = 1

ports {
  grpc = 8502

connect {
  enabled = true

acl = {
  enabled                  = true
  default_policy           = "deny"
  enable_token_persistence = true
  tokens = {
    // agent = ...

Start Consul Agent

Now we are ready to start the Consul agent. Use the agent configuration file we created from above.

consul agent -config-file=consul.hcl

Bootstrap ACL System

In another terminal, we can use the Consul CLI to interact with the Consul agent. The first thing we need to do is activate the ACL subsystem.

consul acl bootstrap

This will generate a Bootstrap Token based on the built-in global-management policy. Copy the SecretID and export it in your environment so we can continue using the Consul CLI.

export CONSUL_HTTP_TOKEN=<secret-id>

Create an Agent Token

In the initial Consul agent configuration we commented out the line for agent = ..., because on first startup we do not have a token from Consul to give back to Consul as an agent token. We must create an ACL policy, then derive an ACL token from that policy ourselves, then set that token in the Consul agent configuration.

Create the agent policy file consul-agent-policy.hcl.

node_prefix "" {
  policy = "write"

Now create the Consul ACL policy using that policy file.

consul acl policy create -name consul-agent-policy -rules @consul-agent-policy.hcl

Now that the policy is registered we can generate an ACL token from it.

consul acl token create -description "Consul Agent Token" -policy-name consul-agent-policy

Similar to the bootstrap command this will output an ACL token with a SecretID. Copy that SecretID value and paste it into the agent = <secret-id> line in the Consul agent config. The tokens block will end up looking something like,

tokens {
  agent = "77a6a28a-8614-2a27-e287-169c36872ead"

Restart Consul Agent

Restart the Consul agent so that it picks up the new agent token. Consul should now be usable, so long as you generate ACL tokens for your services.

Happy hacking!

➡️ related posts in the config series ...

No follow up posts yet. Check back soon!