using consul acl with golang

June 17, 2016    general blog

It is always a good idea to think about security. It is no exception when we are using Consul for service discovery. Consul provides an optional Access Control List ACL system which can be used to control access to data and APIs. An access control list (ACL) is a list of permissions attached to an object.

Consul ACL is Capability-based. If you are familiar with AWS IAM, it will look similar to AWS IAM.

To enable consul with ACL, add this to server configuration.

  "acl_datacenter": "<datacenter name>",
  "acl_master_token": "<token>",
  "acl_default_policy": "deny",
  "acl_down_policy": "deny"

Consul with this configuration will ‘deny’ by default and we can allow read/write accesses per client.

We can list the ACL’s with this curl command:

curl "http://localhost:8500/v1/acl/list?token=token&pretty=true"

Note: Consul is running on port 8500 at localhost.

If we want to get a value from key/value store. We can use a curl like:

curl "http://localhost:8500/v1/kv/timeout?token=token"

Note: timeout is a key in Consul key/value store.

If you are using golang, Consul provides an api. With official Consul api, accessing a service or key/value store while ACL enabled is just adding token to QueryOption

options := &consulapi.QueryOption{
	Token: token,

pairs, meta, err := consulapi.Get("timeout", coptions)
if err != nil {
	return nil, nil, err

More information about Consul ACL.