consul/website/content/commands/intention/match.mdx

---
layout: commands
page_title: 'Commands: Intention Match'
description: >-
  The `consul intention match` command returns inbound and outbound service intentions for a specific service.
---

# Consul Intention Match

Command: `consul intention match`

Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/match](/consul/api-docs/connect/intentions#list-matching-intentions)

The `intention match` command shows the list of intentions that match
a given source or destination. The list of intentions is listed in evaluation
order: the first intention that matches a request would be evaluated.

The [check](/consul/commands/intention/check) command can be used to
check whether an L4 connection would be authorized between any two services.

The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of
[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.

| ACL Required                  |
| ----------------------------- |
| `intentions:read`<p> Define intention rules in the `service` policy. Refer to [ACL requirements for intentions](/consul/docs/connect/intentions/create-manage-intentions#acl-requirements) for additional information.</p> |

## Usage

Usage: `consul intention match [options] SRC_OR_DST`

`SRC` and `DST` can both take [several forms](/consul/commands/intention#source-and-destination-naming).

#### Command Options

- `-destination` - Match by destination.

- `-source` - Match by source.

#### Enterprise Options

@include 'http_api_partition_options.mdx'

@include 'http_api_namespace_options.mdx'

#### API Options

@include 'http_api_options_client.mdx'

## Examples

```shell-session
$ consul intention match -source web
web => db (deny)
web => api (2 permissions)
web => * (allow)
```
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`
docs: update structure (#8506) - moved and renamed files/folders based on new structure - updated docs navigation based on new structure - moved CLI to top nav (created commands.jsx and commands-navigation.js) - updated and added redirects - updating to be consistent with standalone categories - changing "overview" link in top nav to lead to where intro was moved (docs/intro) - adding redirects for intro content - deleting old intro folders - format all data/navigation files - deleting old commands folder - reverting changes to glossary page - adjust intro navigation for removal of 'vs' paths - add helm page redirect - fix more redirects - add a missing redirect - fix broken anchor links and formatting mistakes - deleted duplicate section, added redirect, changed link - removed duplicate glossary page 2020-09-01 15:14:13 +00:00			`layout: commands`
intro and api navigation converted 2020-04-07 18:55:19 +00:00			`page_title: 'Commands: Intention Match'`
docs: CLI page descriptions for automated checker (#16056) * ACL * ACL * Catalog * consul config * consul connect * top-level updates * consul intention * consul kv * consul namespace * consul peering * consul peering delete * consul services * consul snapshot * consul tls * consul acl auth-method * acl binding-rule * acl policy * acl role * acl token * fix * standardization * Update website/content/commands/snapshot/save.mdx Co-authored-by: Bryce Kalow <bkalow@hashicorp.com> * consul debug consul keyring Co-authored-by: Bryce Kalow <bkalow@hashicorp.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> 2023-01-26 18:42:13 +00:00			`description: >-`
			The `consul intention match` command returns inbound and outbound service intentions for a specific service.
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`

			`# Consul Intention Match`

			Command: `consul intention match`

docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/match](/consul/api-docs/connect/intentions#list-matching-intentions)`
Added Corresponding HTTP API Endpoints for every CLI command 2022-01-10 17:40:11 +00:00
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			The `intention match` command shows the list of intentions that match
			`a given source or destination. The list of intentions is listed in evaluation`
			`order: the first intention that matches a request would be evaluated.`

docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`The [check](/consul/commands/intention/check) command can be used to`
docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`check whether an L4 connection would be authorized between any two services.`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`The table below shows this command's [required ACLs](/consul/api-docs/api-structure#authentication). Configuration of`
			`[blocking queries](/consul/api-docs/features/blocking) and [agent caching](/consul/api-docs/features/caching)`
Added ACL requirements for CLI commands 2022-01-10 21:44:56 +00:00			`are not supported from commands, but may be from the corresponding HTTP endpoint.`

Added some missing ACL info, updated details around some permissions, added missing HTTP API refs 2022-01-11 14:41:54 +00:00			`\| ACL Required \|`
			`\| ----------------------------- \|`
Backport of Docs/intentions refactor docs day 2022 into release/1.15.x (#16775) * backport of commit 945c13236db5b8d746116ace4468bc66e7a04af2 * backport of commit 4034c6f753a5023fdaacd28b67f86ffb52dc1206 * backport of commit 8c06a1883e2023a3e68ec10e2edd83b684acc9c0 * backport of commit 35757aa1f602018379dbc5fbf1e4c5ccfbce0624 * backport of commit 1204b419ac7d4a46d6ac4cad976d6992c46d3121 * Docs/intentions refactor docs day 2022 (#16758) * converted intentions conf entry to ref CT format * set up intentions nav * add page for intentions usage * final intentions usage page * final intentions overview page * fixed old relative links * updated diagram for overview * updated links to intentions content * fixed typo in updated links * rename intentions overview page file to index * rollback link updates to intentions overview * fixed nav * Updated custom HTML in API and CLI pages to MD * applied suggestions from review to index page * moved conf examples from usage to conf ref * missed custom HTML section * applied additional feedback * Apply suggestions from code review Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * updated headings in usage page * renamed files and udpated nav * updated links to new file names * added redirects and final tweaks * typo --------- Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> * remove old files --------- Co-authored-by: trujillo-adam <ajosetru@gmail.com> Co-authored-by: trujillo-adam <47586768+trujillo-adam@users.noreply.github.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> 2023-03-24 23:15:54 +00:00			\| `intentions:read`<p> Define intention rules in the `service` policy. Refer to [ACL requirements for intentions](/consul/docs/connect/intentions/create-manage-intentions#acl-requirements) for additional information.</p> \|
Added ACL requirements for CLI commands 2022-01-10 21:44:56 +00:00
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`## Usage`

			Usage: `consul intention match [options] SRC_OR_DST`

docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`SRC` and `DST` can both take [several forms](/consul/commands/intention#source-and-destination-naming).
connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) Highlights: - add new endpoint to query for intentions by exact match - using this endpoint from the CLI instead of the dump+filter approach - enforcing that OSS can only read/write intentions with a SourceNS or DestinationNS field of "default". - preexisting OSS intentions with now-invalid namespace fields will delete those intentions on initial election or for wildcard namespaces an attempt will be made to downgrade them to "default" unless one exists. - also allow the '-namespace' CLI arg on all of the intention subcommands - update lots of docs 2020-06-26 21:59:15 +00:00
docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			`#### Command Options`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			- `-destination` - Match by destination.
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			- `-source` - Match by source.
connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) Highlights: - add new endpoint to query for intentions by exact match - using this endpoint from the CLI instead of the dump+filter approach - enforcing that OSS can only read/write intentions with a SourceNS or DestinationNS field of "default". - preexisting OSS intentions with now-invalid namespace fields will delete those intentions on initial election or for wildcard namespaces an attempt will be made to downgrade them to "default" unless one exists. - also allow the '-namespace' CLI arg on all of the intention subcommands - update lots of docs 2020-06-26 21:59:15 +00:00
docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			`#### Enterprise Options`
connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) Highlights: - add new endpoint to query for intentions by exact match - using this endpoint from the CLI instead of the dump+filter approach - enforcing that OSS can only read/write intentions with a SourceNS or DestinationNS field of "default". - preexisting OSS intentions with now-invalid namespace fields will delete those intentions on initial election or for wildcard namespaces an attempt will be made to downgrade them to "default" unless one exists. - also allow the '-namespace' CLI arg on all of the intention subcommands - update lots of docs 2020-06-26 21:59:15 +00:00
Website fixups for admin partitions (#11842) * Website fixups for admin partitions Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2021-12-15 01:55:21 +00:00			`@include 'http_api_partition_options.mdx'`

docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			`@include 'http_api_namespace_options.mdx'`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			`#### API Options`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
docs: show CLI cmd-specific opts before general opts Applied to all remaining CLI commands. 2022-07-27 06:17:11 +00:00			`@include 'http_api_options_client.mdx'`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
			`## Examples`

update dependencies 2020-05-19 18:32:38 +00:00			```shell-session
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`$ consul intention match -source web`
			`web => db (deny)`
docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`web => api (2 permissions)`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`web => * (allow)`
			```