Table: consul_acl_token - Query Consul ACL Tokens using SQL
Consul ACL Tokens are a security feature in HashiCorp Consul that provides a flexible way to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine-grained rules and policies. ACL Tokens allow you to restrict which data and APIs a client can access, ensuring secure and controlled access within your Consul environment.
Table Usage Guide
The consul_acl_token
table provides insights into ACL Tokens within HashiCorp Consul. As a security engineer, explore token-specific details through this table, including permissions, policies, and associated metadata. Utilize it to uncover information about ACL Tokens, such as those with unrestricted permissions, the policies associated with each token, and the verification of access rules.
Important Notes
- You need to specify the
token
parameter in theconsul.spc
file to be able to query this table.
Examples
Basic info
Explore which accessors have been authorized, when they were created, and their expiration timeline. This can help you manage access control and understand potential security risks in your system.
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttl, namespace, partitionfrom consul_acl_token;
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttl, namespace, partitionfrom consul_acl_token;
List local tokens
Explore which access control list (ACL) tokens are locally stored within the Consul service. This is useful for managing security and access controls, particularly in understanding which tokens might expire soon.
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere local;
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere local = 1;
List tokens which will never expire
Identify instances where certain access tokens are set to never expire. This can be useful in managing security and access control, as perpetual tokens may pose a potential risk.
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere expiration_time is null;
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere expiration_time is null;
List tokens which are not associated with any role
Discover the segments that consist of tokens not linked to any role, which can be useful to identify potential security risks or unused resources. This information can aid in streamlining your system's security and efficiency.
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere roles is null;
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere roles is null;
List tokens which are not associated with any auth method
Determine the areas in which tokens are not associated with any authentication methods. This can be beneficial in identifying potential security vulnerabilities or gaps in your system's access control.
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere auth_method = '';
select accessor_id, secret_id, auth_method, local, create_time, expiration_ttlfrom consul_acl_tokenwhere auth_method = '';
Schema for consul_acl_token
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
accessor_id | text | = | The accessor ID of the acl token. |
address_url | text | The address URL. | |
auth_method | text | The auth method of the acl token. | |
auth_method_namespace | text | The auth method namespace of the acl token. | |
create_index | bigint | = | Create index of the acl token. |
create_time | timestamp with time zone | The creation time of the acl token. | |
description | text | The description of the acl token. | |
expiration_time | timestamp with time zone | The expiration time of the acl token. | |
expiration_ttl | text | The maximum life of the acl token. | |
hash | jsonb | The acl token hash. | |
local | boolean | Check whether the token is local or not. | |
modify_index | bigint | Modify index of the acl token. | |
namespace | text | = | The namespace of the acl token. |
node_identities | jsonb | Node identities attached to the acl token. | |
partition | text | The partition of the acl token. | |
policies | jsonb | Policies attached to the acl token. | |
roles | jsonb | Roles attached to the acl token. | |
secret_id | text | The secret ID of the acl token. | |
service_identities | jsonb | Service identities attached to the acl token. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
title | text | The title of the acl token. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- consul
You can pass the configuration to the command with the --config
argument:
steampipe_export_consul --config '<your_config>' consul_acl_token