github
/
consul
mirror of https://github.com/hashicorp/consul
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fixup - address PR comments

pull/15497/head
Jared Kirschner 2022-12-08 15:46:38 -08:00
parent e18020b2ef
commit 55dfb98e5f
2 changed files with 11 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
website/content/commands/acl/token/create.mdx
View File

@ -76,10 +76,12 @@ Usage: `consul acl token create [options] [args]`
## Examples
The following examples describe the creation of ACL tokens for common scenarios.
The following examples describe how to create ACL tokens for common scenarios.
### Create a token with policy by name
The following example creates a token that includes a policy by its name.
```shell-session
$ consul acl token create -description "Read Nodes and Services" -policy-name node-services-read
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d
@ -110,7 +112,10 @@ Service Identities:
my-api (Datacenters: all)
```
### Create a short-lived and highly privileged token
### Create a temporary and highly-privileged token
The following example creates a token with a lifetime of 15 minutes that
includes the built-in [`global-management` policy](/consul/docs/security/acl/acl-policies#global-management).
```shell-session
$ consul acl token create -description "Temp Super User" -policy-name global-management -expires-ttl '15m'
@ -126,6 +131,9 @@ Policies:
### Create a local token with policy by ID
The following example creates a token that is only valid in this datacenter
and includes a policy by its UUID.
```shell-session
$ consul acl token create -description "Read Nodes and Services" -policy-id 06acc965 -local
AccessorID: 986193b5-e2b5-eb26-6264-b524ea60cc6d

4
website/content/commands/connect/envoy.mdx
View File

@ -235,9 +235,7 @@ agent is using all-default configuration.
In secure deployments, Consul's ACL system is enabled with a default `deny` policy.
To access Consul API resources, an API request must present a Consul ACL token
with the necessary privileges. A sidecar proxy must be provided with an ACL token
with privileges to register itself and the service it fronts,
and to access all potential upstreams of that service.
with the necessary privileges. If ACLs are enabled, you must provide an ACL token to the sidecar proxy. The token must grant the proxy privileges to register itself and the service it fronts and to access all potential upstreams of that service.
We recommend [using a service identity](/consul/commands/acl/token/create#create-a-token-for-a-service)
to directly create a token with the privileges necessary for a service and its sidecar proxy,
rather than creating a unique ACL policy for every service.