Demo Creating ACL Tokens

1. Review Existing Policies
Sample Output
2. Create a New Token
Expected Response
3. Automating Token Generation
Policy Overview
Links and References

In this tutorial, you’ll learn how to generate a new ACL token for the Consul agent on web-server-01, leveraging the existing eCommerce policy. We’ll cover:

Reviewing existing ACL policies
Creating a new token
Automating token generation

1. Review Existing Policies

Before assigning a token, confirm which ACL policies exist in your Consul cluster.

Attempting to list policies without a valid token will result in a permission error.

$ consul acl policy list
Failed to retrieve the policy list: Unexpected response code: 403 (Permission denied)

Supply the bootstrap token to view the policy definitions:

$ consul acl policy list \
    -token c7142d5a-9ab1-78ba-f521-189971e29c24

Sample Output

eCommerce:
  ID:          f333e9a4-dff7-05ac-75a3-98ee4087e868
  Namespace:   default
  Description: eCommerce App
  Datacenters:
global-management:
  ID:          00000000-0000-0000-0000-000000000001
  Namespace:   default
  Description: Builtin Policy that grants unlimited access
  Datacenters:

2. Create a New Token

Now generate a scoped ACL token bound to your eCommerce policy. Replace the -policy-id value with the actual Policy ID obtained above.

$ consul acl token create \
    -description "Token for web-server-01" \
    -policy-id f333e9a4-dff7-05ac-75a3-98ee4087e868 \
    -token c7142d5a-9ab1-78ba-f521-189971e29c24

Expected Response

AccessorID: 574957bd-ba25-43b6-a16b-7a7494ee7fea
SecretID:   d46811f8-21ff-f41c-9c3a-6acbe8c04905
Namespace:  default
Description: Token for web-server-01
Create Time: 2021-02-12 20:32:29.966523914 +0000 UTC
Policies:
- f333e9a4-dff7-05ac-75a3-98ee4087e868  eCommerce

The SecretID value is the actual token you will configure on web-server-01 for secure Consul access.

3. Automating Token Generation

For large-scale or production environments, manual token creation can become error-prone. Consider using HashiCorp Vault’s Consul secrets engine to dynamically issue ACL tokens:

Define roles in Vault that map to Consul policies.
Vault will automatically provision short-lived tokens.
Centralize token lifecycle management and auditing.

Dynamic token issuance reduces manual errors, enforces least privilege, and simplifies rotation.

Policy Overview

Policy Name	Policy ID	Description
eCommerce	f333e9a4-dff7-05ac-75a3-98ee4087e868	Grants permissions needed by web-server-01
global-management	00000000-0000-0000-0000-000000000001	Built-in policy with unrestricted access

Links and References

Watch Video

Practice Lab

Creating and Managing ACL Tokens

Perform a UI task using a Token

⌘I

Introduction

Explain Consul Architecture

Deploy a Single Datacenter

Register Services and Use Service Discovery

Back up and Restore

Register a Service Proxy

Secure Agent Communication

Use Gossip Encryption

Access the Consul Key Value KV

Hashi Corp Cloud Platform Consul

Secure Services with Basic AC Ls

Demo Creating ACL Tokens

1. Review Existing Policies

Sample Output

2. Create a New Token

Expected Response

3. Automating Token Generation

Policy Overview

Links and References

Watch Video

Practice Lab

Introduction

Explain Consul Architecture

Deploy a Single Datacenter

Register Services and Use Service Discovery

Back up and Restore

Register a Service Proxy

Secure Agent Communication

Use Gossip Encryption

Access the Consul Key Value KV

Hashi Corp Cloud Platform Consul

Secure Services with Basic AC Ls

​1. Review Existing Policies

​Sample Output

​2. Create a New Token

​Expected Response

​3. Automating Token Generation

​Policy Overview

​Links and References

Watch Video

Practice Lab

1. Review Existing Policies

Sample Output

2. Create a New Token

Expected Response

3. Automating Token Generation

Policy Overview

Links and References