github.com/outbrain/consul@v1.4.5/website/source/api/acl/tokens.html.md (about) 1 --- 2 layout: api 3 page_title: ACL Policies - HTTP API 4 sidebar_current: api-acl-tokens 5 description: |- 6 The /acl/token endpoints manage Consul's ACL Policies. 7 --- 8 9 -> **1.4.0+:** The APIs are available in Consul versions 1.4.0 and later. The documentation for the legacy ACL API is [here](/api/acl/legacy.html) 10 11 # ACL Token HTTP API 12 13 The `/acl/token` endpoints [create](#create-a-token), [read](#read-a-token), 14 [update](#update-a-token), [list](#list-tokens), [clone](#clone-token) and [delete](#delete-a-token) ACL policies in Consul. 15 16 For more information about ACLs, please see the [ACL Guide](/docs/guides/acl.html). 17 18 ## Create a Token 19 20 This endpoint creates a new ACL token. 21 22 | Method | Path | Produces | 23 | ------ | ---------------------------- | -------------------------- | 24 | `PUT` | `/acl/token` | `application/json` | 25 26 The table below shows this endpoint's support for 27 [blocking queries](/api/index.html#blocking-queries), 28 [consistency modes](/api/index.html#consistency-modes), 29 [agent caching](/api/index.html#agent-caching), and 30 [required ACLs](/api/index.html#acls). 31 32 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 33 | ---------------- | ----------------- | ------------- | ------------ | 34 | `NO` | `none` | `none` | `acl:write` | 35 36 ### Parameters 37 38 - `Description` `(string: "")` - Free form human readable description of the token. 39 40 - `Policies` `(array<PolicyLink>)` - The list of policies that should 41 be applied to the token. A PolicyLink is an object with an "ID" and/or "Name" field 42 to specify a policy. With the PolicyLink, tokens can be linked to policies either by the 43 policy name or by the policy ID. When policies are linked by name they will be 44 internally resolved to the policy ID. With linking tokens internally by IDs, 45 Consul enables policy renaming without breaking tokens. 46 47 - `Local` `(bool: false)` - If true, indicates that the token should not be replicated 48 globally and instead be local to the current datacenter. 49 50 ### Sample Payload 51 52 ```json 53 { 54 "Description": "Agent token for 'node1'", 55 "Policies": [ 56 { 57 "ID": "165d4317-e379-f732-ce70-86278c4558f7" 58 }, 59 { 60 "Name": "node-read" 61 } 62 ], 63 "Local": false 64 } 65 ``` 66 67 ### Sample Request 68 69 ```text 70 $ curl \ 71 --request PUT \ 72 --data @payload.json \ 73 http://127.0.0.1:8500/v1/acl/token 74 ``` 75 76 ### Sample Response 77 78 ```json 79 { 80 "AccessorID": "6a1253d2-1785-24fd-91c2-f8e78c745511", 81 "SecretID": "45a3bd52-07c7-47a4-52fd-0745e0cfe967", 82 "Description": "Agent token for 'node1'", 83 "Policies": [ 84 { 85 "ID": "165d4317-e379-f732-ce70-86278c4558f7", 86 "Name": "node1-write" 87 }, 88 { 89 "ID": "e359bd81-baca-903e-7e64-1ccd9fdc78f5", 90 "Name": "node-read" 91 } 92 ], 93 "Local": false, 94 "CreateTime": "2018-10-24T12:25:06.921933-04:00", 95 "Hash": "UuiRkOQPRCvoRZHRtUxxbrmwZ5crYrOdZ0Z1FTFbTbA=", 96 "CreateIndex": 59, 97 "ModifyIndex": 59 98 } 99 ``` 100 101 102 ## Read a Token 103 104 This endpoint reads an ACL token with the given Accessor ID. 105 106 | Method | Path | Produces | 107 | ------ | ---------------------------- | -------------------------- | 108 | `GET` | `/acl/token/:AccessorID` | `application/json` | 109 110 The table below shows this endpoint's support for 111 [blocking queries](/api/index.html#blocking-queries), 112 [consistency modes](/api/index.html#consistency-modes), 113 [agent caching](/api/index.html#agent-caching), and 114 [required ACLs](/api/index.html#acls). 115 116 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 117 | ---------------- | ----------------- | ------------- | ------------ | 118 | `YES` | `all` | `none` | `acl:read` | 119 120 ### Parameters 121 122 - `AccessorID` `(string: <required>)` - Specifies the accessor ID of the ACL token to 123 read. This is required and is specified as part of the URL path. 124 125 ### Sample Request 126 127 ```text 128 $ curl -X GET http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511 129 ``` 130 131 ### Sample Response 132 133 -> **Note** If the token used for accessing the API has `acl:write` permissions, 134 then the `SecretID` will contain the tokens real value. Only when accessed with 135 a token with only `acl:read` permissions will the `SecretID` be redacted. This 136 is to prevent privilege escalation whereby having `acl:read` privileges allows 137 for reading other secrets which given even more permissions. 138 139 ```json 140 { 141 "AccessorID": "6a1253d2-1785-24fd-91c2-f8e78c745511", 142 "SecretID": "<hidden>", 143 "Description": "Agent token for 'node1'", 144 "Policies": [ 145 { 146 "ID": "165d4317-e379-f732-ce70-86278c4558f7", 147 "Name": "node1-write" 148 }, 149 { 150 "ID": "e359bd81-baca-903e-7e64-1ccd9fdc78f5", 151 "Name": "node-read" 152 } 153 ], 154 "Local": false, 155 "CreateTime": "2018-10-24T12:25:06.921933-04:00", 156 "Hash": "UuiRkOQPRCvoRZHRtUxxbrmwZ5crYrOdZ0Z1FTFbTbA=", 157 "CreateIndex": 59, 158 "ModifyIndex": 59 159 } 160 ``` 161 162 ## Read Self Token 163 164 This endpoint returns the ACL token details that matches the secret ID 165 specified with the `X-Consul-Token` header or the `token` query parameter. 166 167 | Method | Path | Produces | 168 | ------ | ---------------------------- | -------------------------- | 169 | `GET` | `/acl/token/self` | `application/json` | 170 171 The table below shows this endpoint's support for 172 [blocking queries](/api/index.html#blocking-queries), 173 [consistency modes](/api/index.html#consistency-modes), 174 [agent caching](/api/index.html#agent-caching), and 175 [required ACLs](/api/index.html#acls). 176 177 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 178 | ---------------- | ----------------- | ------------- | ------------ | 179 | `YES` | `all` | `none` | `none` | 180 181 -> **Note** - This endpoint requires no specific privileges as it is just 182 retrieving the data for a token that you must already possess its secret. 183 184 ### Sample Request 185 186 ```text 187 $ curl -H "X-Consul-Token: 6a1253d2-1785-24fd-91c2-f8e78c745511" \ 188 http://127.0.0.1:8500/v1/acl/token/self 189 ``` 190 191 ### Sample Response 192 193 ```json 194 { 195 "AccessorID": "6a1253d2-1785-24fd-91c2-f8e78c745511", 196 "SecretID": "45a3bd52-07c7-47a4-52fd-0745e0cfe967", 197 "Description": "Agent token for 'node1'", 198 "Policies": [ 199 { 200 "ID": "165d4317-e379-f732-ce70-86278c4558f7", 201 "Name": "node1-write" 202 }, 203 { 204 "ID": "e359bd81-baca-903e-7e64-1ccd9fdc78f5", 205 "Name": "node-read" 206 } 207 ], 208 "Local": false, 209 "CreateTime": "2018-10-24T12:25:06.921933-04:00", 210 "Hash": "UuiRkOQPRCvoRZHRtUxxbrmwZ5crYrOdZ0Z1FTFbTbA=", 211 "CreateIndex": 59, 212 "ModifyIndex": 59 213 } 214 ``` 215 216 217 ## Update a Token 218 219 This endpoint updates an existing ACL token. 220 221 | Method | Path | Produces | 222 | ------ | ---------------------------- | -------------------------- | 223 | `PUT` | `/acl/token/:AccessorID` | `application/json` | 224 225 The table below shows this endpoint's support for 226 [blocking queries](/api/index.html#blocking-queries), 227 [consistency modes](/api/index.html#consistency-modes), 228 [agent caching](/api/index.html#agent-caching), and 229 [required ACLs](/api/index.html#acls). 230 231 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 232 | ---------------- | ----------------- | ------------- | ------------ | 233 | `NO` | `none` | `none` | `acl:write` | 234 235 ### Parameters 236 237 - `AccessorID` `(string: "")` - Specifies the accessor ID of the token being updated. This is 238 required in the URL path but may also be specified in the JSON body. If specified 239 in both places then they must match exactly. This field is immutable. If not present in 240 the body and only in the URL then it will be filled in by Consul. 241 242 - `SecretID` `(string: "")` - Specifies the secret ID of the token being updated. This field is 243 immutable so if present in the body then it must match the existing value. If not present 244 then the value will be filled in by Consul. 245 246 - `Description` `(string: "")` - Free form human readable description of this token. 247 248 - `Policies` `(array<PolicyLink>)` - This is the list of policies that should 249 be applied to this token. A PolicyLink is an object with an "ID" and/or "Name" field 250 to specify a policy. With this tokens can be linked to policies either by the 251 policy name or by the policy ID. When policies are linked by name they will 252 internally be resolved to the policy ID. With linking tokens internally by IDs, 253 Consul enables policy renaming without breaking tokens. 254 255 - `Local` `(bool: false)` - If true, indicates that this token should not be replicated 256 globally and instead be local to the current datacenter. This value must match the 257 existing value or the request will return an error. 258 259 ### Sample Payload 260 261 ```json 262 { 263 "Description": "Agent token for 'node1'", 264 "Policies": [ 265 { 266 "ID": "165d4317-e379-f732-ce70-86278c4558f7" 267 }, 268 { 269 "Name": "node-read" 270 }, 271 { 272 "Name": "service-read" 273 } 274 ], 275 "Local": false 276 } 277 ``` 278 279 ### Sample Request 280 281 ```text 282 $ curl \ 283 --request PUT \ 284 --data @payload.json \ 285 http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511 286 ``` 287 288 ### Sample Response 289 290 ```json 291 { 292 "AccessorID": "6a1253d2-1785-24fd-91c2-f8e78c745511", 293 "SecretID": "45a3bd52-07c7-47a4-52fd-0745e0cfe967", 294 "Description": "Agent token for 'node1'", 295 "Policies": [ 296 { 297 "ID": "165d4317-e379-f732-ce70-86278c4558f7", 298 "Name": "node1-write" 299 }, 300 { 301 "ID": "e359bd81-baca-903e-7e64-1ccd9fdc78f5", 302 "Name": "node-read" 303 }, 304 { 305 "ID": "93d2226b-2046-4db1-993b-c0581b5d2391", 306 "Name": "service-read" 307 } 308 ], 309 "Local": false, 310 "CreateTime": "2018-10-24T12:25:06.921933-04:00", 311 "Hash": "UuiRkOQPRCvoRZHRtUxxbrmwZ5crYrOdZ0Z1FTFbTbA=", 312 "CreateIndex": 59, 313 "ModifyIndex": 100 314 } 315 ``` 316 317 ## Clone a Token 318 319 This endpoint clones an existing ACL token. 320 321 | Method | Path | Produces | 322 | ------ | ------------------------------ | -------------------------- | 323 | `PUT` | `/acl/token/:AccessorID/clone` | `application/json` | 324 325 The table below shows this endpoint's support for 326 [blocking queries](/api/index.html#blocking-queries), 327 [consistency modes](/api/index.html#consistency-modes), 328 [agent caching](/api/index.html#agent-caching), and 329 [required ACLs](/api/index.html#acls). 330 331 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 332 | ---------------- | ----------------- | ------------- | ------------ | 333 | `NO` | `none` | `none` | `acl:write` | 334 335 ### Parameters 336 337 - `AccessorID` `(string: <required>)` - The accessor ID of the token to clone. This is required 338 in the URL path 339 340 - `Description` `(string: "")` - Free form human readable description for the cloned token. 341 342 ### Sample Payload 343 344 ```json 345 { 346 "Description": "Clone of Agent token for 'node1'", 347 } 348 ``` 349 350 ### Sample Request 351 352 ```text 353 $ curl \ 354 --request PUT \ 355 --data @payload.json \ 356 http://127.0.0.1:8500/v1/acl/token/6a1253d2-1785-24fd-91c2-f8e78c745511/clone 357 ``` 358 359 ### Sample Response 360 361 ```json 362 { 363 "AccessorID": "773efe2a-1f6f-451f-878c-71be10712bae", 364 "SecretID": "8b1247ef-d172-4f99-b050-4dbe5d3df0cb", 365 "Description": "Clone of Agent token for 'node1'", 366 "Policies": [ 367 { 368 "ID": "165d4317-e379-f732-ce70-86278c4558f7", 369 "Name": "node1-write" 370 }, 371 { 372 "ID": "e359bd81-baca-903e-7e64-1ccd9fdc78f5", 373 "Name": "node-read" 374 }, 375 { 376 "ID": "93d2226b-2046-4db1-993b-c0581b5d2391", 377 "Name": "service-read" 378 } 379 ], 380 "Local": false, 381 "CreateTime": "2018-10-24T12:25:06.921933-04:00", 382 "Hash": "UuiRkOQPRCvoRZHRtUxxbrmwZ5crYrOdZ0Z1FTFbTbA=", 383 "CreateIndex": 128, 384 "ModifyIndex": 128 385 } 386 ``` 387 388 ## Delete a Token 389 390 This endpoint deletes an ACL token. 391 392 | Method | Path | Produces | 393 | -------- | ------------------------- | -------------------------- | 394 | `DELETE` | `/acl/token/:AccessorID` | `application/json` | 395 396 Even though the return type is application/json, the value is either true or 397 false, indicating whether the delete succeeded. 398 399 The table below shows this endpoint's support for 400 [blocking queries](/api/index.html#blocking-queries), 401 [consistency modes](/api/index.html#consistency-modes), 402 [agent caching](/api/index.html#agent-caching), and 403 [required ACLs](/api/index.html#acls). 404 405 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 406 | ---------------- | ----------------- | ------------- | ------------ | 407 | `NO` | `none` | `none` | `acl:write` | 408 409 ### Parameters 410 411 - `AccessorID` `(string: <required>)` - Specifies the accessor ID of the ACL policy to 412 delete. This is required and is specified as part of the URL path. 413 414 ### Sample Request 415 416 ```text 417 $ curl -XDELETE 418 http://127.0.0.1:8500/v1/acl/token/8f246b77-f3e1-ff88-5b48-8ec93abf3e05 419 ``` 420 421 ### Sample Response 422 ```json 423 true 424 ``` 425 426 ## List Tokens 427 428 This endpoint lists all the ACL tokens. 429 430 | Method | Path | Produces | 431 | ------ | ---------------------------- | -------------------------- | 432 | `GET` | `/acl/tokens` | `application/json` | 433 434 The table below shows this endpoint's support for 435 [blocking queries](/api/index.html#blocking-queries), 436 [consistency modes](/api/index.html#consistency-modes), 437 [agent caching](/api/index.html#agent-caching), and 438 [required ACLs](/api/index.html#acls). 439 440 | Blocking Queries | Consistency Modes | Agent Caching | ACL Required | 441 | ---------------- | ----------------- | ------------- | ------------ | 442 | `YES` | `all` | `none` | `acl:read` | 443 444 ## Parameters 445 446 - `policy` `(string: "")` - Filters the token list to those tokens that 447 are linked with the specific policy ID. 448 449 ## Sample Request 450 451 ```text 452 $ curl -X GET http://127.0.0.1:8500/v1/acl/tokens 453 ``` 454 455 ### Sample Response 456 457 -> **Note** - The token secret IDs are not included in the listing and must be 458 retrieved by the [token reading endpoint](#read-a-token) 459 460 ```json 461 [ 462 { 463 "AccessorID": "6a1253d2-1785-24fd-91c2-f8e78c745511", 464 "Description": "Agent token for 'my-agent'", 465 "Policies": [ 466 { 467 "ID": "165d4317-e379-f732-ce70-86278c4558f7", 468 "Name": "node1-write" 469 }, 470 { 471 "ID": "e359bd81-baca-903e-7e64-1ccd9fdc78f5", 472 "Name": "node-read" 473 } 474 ], 475 "Local": false, 476 "CreateTime": "2018-10-24T12:25:06.921933-04:00", 477 "Hash": "UuiRkOQPRCvoRZHRtUxxbrmwZ5crYrOdZ0Z1FTFbTbA=", 478 "CreateIndex": 59, 479 "ModifyIndex": 59 480 }, 481 { 482 "AccessorID": "00000000-0000-0000-0000-000000000002", 483 "Description": "Anonymous Token", 484 "Policies": null, 485 "Local": false, 486 "CreateTime": "0001-01-01T00:00:00Z", 487 "Hash": "RNVFSWnfd5DUOuB8vplp+imivlIna3fKQVnkUHh21cA=", 488 "CreateIndex": 5, 489 "ModifyIndex": 5 490 }, 491 { 492 "AccessorID": "3328f9a6-433c-02d0-6649-7d07268dfec7", 493 "Description": "Bootstrap Token (Global Management)", 494 "Policies": [ 495 { 496 "ID": "00000000-0000-0000-0000-000000000001", 497 "Name": "global-management" 498 } 499 ], 500 "Local": false, 501 "CreateTime": "2018-10-24T11:42:02.6427-04:00", 502 "Hash": "oyrov6+GFLjo/KZAfqgxF/X4J/3LX0435DOBy9V22I0=", 503 "CreateIndex": 12, 504 "ModifyIndex": 12 505 } 506 ] 507 ```