steampipe plugin install consul

Table: consul_acl_token - Query Consul ACL Tokens using SQL

Consul ACL Tokens are a security feature in HashiCorp Consul that provides a flexible way to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine-grained rules and policies. ACL Tokens allow you to restrict which data and APIs a client can access, ensuring secure and controlled access within your Consul environment.

Table Usage Guide

The consul_acl_token table provides insights into ACL Tokens within HashiCorp Consul. As a security engineer, explore token-specific details through this table, including permissions, policies, and associated metadata. Utilize it to uncover information about ACL Tokens, such as those with unrestricted permissions, the policies associated with each token, and the verification of access rules.

Important Notes

  • You need to specify the token parameter in the consul.spc file to be able to query this table.

Examples

Basic info

Explore which accessors have been authorized, when they were created, and their expiration timeline. This can help you manage access control and understand potential security risks in your system.

select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl,
namespace,
partition
from
consul_acl_token;
select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl,
namespace,
partition
from
consul_acl_token;

List local tokens

Explore which access control list (ACL) tokens are locally stored within the Consul service. This is useful for managing security and access controls, particularly in understanding which tokens might expire soon.

select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
local;
select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
local = 1;

List tokens which will never expire

Identify instances where certain access tokens are set to never expire. This can be useful in managing security and access control, as perpetual tokens may pose a potential risk.

select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
expiration_time is null;
select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
expiration_time is null;

List tokens which are not associated with any role

Discover the segments that consist of tokens not linked to any role, which can be useful to identify potential security risks or unused resources. This information can aid in streamlining your system's security and efficiency.

select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
roles is null;
select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
roles is null;

List tokens which are not associated with any auth method

Determine the areas in which tokens are not associated with any authentication methods. This can be beneficial in identifying potential security vulnerabilities or gaps in your system's access control.

select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
auth_method = '';
select
accessor_id,
secret_id,
auth_method,
local,
create_time,
expiration_ttl
from
consul_acl_token
where
auth_method = '';

Schema for consul_acl_token

NameTypeOperatorsDescription
_ctxjsonbSteampipe context in JSON form.
accessor_idtext=The accessor ID of the acl token.
address_urltextThe address URL.
auth_methodtextThe auth method of the acl token.
auth_method_namespacetextThe auth method namespace of the acl token.
create_indexbigint=Create index of the acl token.
create_timetimestamp with time zoneThe creation time of the acl token.
descriptiontextThe description of the acl token.
expiration_timetimestamp with time zoneThe expiration time of the acl token.
expiration_ttltextThe maximum life of the acl token.
hashjsonbThe acl token hash.
localbooleanCheck whether the token is local or not.
modify_indexbigintModify index of the acl token.
namespacetext=The namespace of the acl token.
node_identitiesjsonbNode identities attached to the acl token.
partitiontextThe partition of the acl token.
policiesjsonbPolicies attached to the acl token.
rolesjsonbRoles attached to the acl token.
secret_idtextThe secret ID of the acl token.
service_identitiesjsonbService identities attached to the acl token.
sp_connection_nametext=, !=, ~~, ~~*, !~~, !~~*Steampipe connection name.
sp_ctxjsonbSteampipe context in JSON form.
titletextThe title of the acl token.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- consul

You can pass the configuration to the command with the --config argument:

steampipe_export_consul --config '<your_config>' consul_acl_token