Skip to main content
This guide shows how to manage operations in the Consul UI when ACLs are enabled with a default deny-all policy. With ACL enforcement active, read-only views remain accessible, but any change—such as modifying services, nodes, or KV pairs—requires a valid ACL token.
Ensure you have the correct ACL token (Secret ID) before continuing. Without it, all management actions in the UI will be blocked.

Prerequisites

  • A running Consul cluster or single server with ACL enforcement enabled
  • Your ACL bootstrap token or another token with sufficient privileges
  • Access to the Consul UI (node IP, load balancer, or localhost)

Authenticating in the UI

  1. Open the Consul UI and click the ACL tab (highlighted in yellow).
  2. Paste your ACL Secret ID into the token field.
  3. Click Save.
After successful authentication, two sub-tabs appear under Access Controls:
Sub-TabPurpose
TokensView default tokens (bootstrap, anonymous) and create new tokens bound to policies.
PoliciesDefine, edit, or delete ACL policies. Then return to Tokens to issue tokens using those policies.

Managing Tokens and Policies

The image is a tutorial on performing a UI task using a token, showing steps to enter a valid token in the Access Controls section and manage tokens and policies. It includes labeled screenshots of a user interface with instructions.
  1. Tokens
    • Click Create Token to issue a new token and bind it to one or more policies.
    • Provide a name and select the policies that define its permissions.
  2. Policies
    • Click Create Policy to open the policy editor.
    • Define rules using HCL syntax.
    • Save the policy, then switch back to Tokens to issue tokens using your new policy.

Next Steps

  • Explore the Services, Nodes, and KV tabs to verify your permissions.
  • Automate workflows by using your token with the Consul CLI or API.
For complete ACL configuration and best practices, see the Consul ACL documentation.

Watch Video