Skip to content

Consul ACL Token

Service Name: HashiCorp Consul

Service Description: HashiCorp Consul is a service networking solution that enables teams to manage secure network connectivity between services and across environments. It provides service discovery, health checking, and a distributed key-value store.

Service Address: https://www.consul.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the service level using Consul's ACL system and network segmentation policies.

Secret Access Scope: Grants access to Consul resources based on the token's associated policies. Tokens can have different levels of access from read-only to full management capabilities.

Secret Revokement URL: https://developer.hashicorp.com/consul/commands/acl/token/delete

Secret Example: e95a1e4b-251c-4852-ad41-f46b2d9fcd38

Suspicious Activity Investigation Instructions:

  • Review Consul audit logs for unusual API calls or resource access patterns
  • Check for unauthorized service registrations or deregistrations
  • Monitor for unexpected changes to key-value store entries
  • Look for policy modifications or new token creations
  • Examine network traffic patterns to identify unusual access to Consul endpoints

Mitigation Instructions:

  • Immediately revoke the compromised token using the Consul CLI: consul acl token delete -id <token_id>

  • Alternatively, use the Consul API or UI to delete the token

  • Create a new token with appropriate policies if needed
  • Review and update ACL policies to ensure the Principle of Least Privilege
  • Enable audit logging if not already enabled to track future token usage
  • Consider implementing shorter token TTLs (Time-To-Live) for sensitive tokens
  • Rotate all management tokens as a precaution
  • Update any applications or services that were using the compromised token