Table: consul_acl_token - Query Consul ACL Tokens using SQL

Consul ACL Tokens are a security feature in HashiCorp Consul that provides a flexible way to control access to data and APIs. The ACL system is a Capability-based system that relies on tokens which can have fine-grained rules and policies. ACL Tokens allow you to restrict which data and APIs a client can access, ensuring secure and controlled access within your Consul environment.

Table Usage Guide

The consul_acl_token table provides insights into ACL Tokens within HashiCorp Consul. As a security engineer, explore token-specific details through this table, including permissions, policies, and associated metadata. Utilize it to uncover information about ACL Tokens, such as those with unrestricted permissions, the policies associated with each token, and the verification of access rules.

Important Notes

You need to specify the token parameter in the consul.spc file to be able to query this table.

Examples

Basic info

Explore which accessors have been authorized, when they were created, and their expiration timeline. This can help you manage access control and understand potential security risks in your system.

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl,
  namespace,
  partition
from
  consul_acl_token;

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl,
  namespace,
  partition
from
  consul_acl_token;

List local tokens

Explore which access control list (ACL) tokens are locally stored within the Consul service. This is useful for managing security and access controls, particularly in understanding which tokens might expire soon.

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  local;

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  local = 1;

List tokens which will never expire

Identify instances where certain access tokens are set to never expire. This can be useful in managing security and access control, as perpetual tokens may pose a potential risk.

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  expiration_time is null;

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  expiration_time is null;

List tokens which are not associated with any role

Discover the segments that consist of tokens not linked to any role, which can be useful to identify potential security risks or unused resources. This information can aid in streamlining your system's security and efficiency.

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  roles is null;

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  roles is null;

List tokens which are not associated with any auth method

Determine the areas in which tokens are not associated with any authentication methods. This can be beneficial in identifying potential security vulnerabilities or gaps in your system's access control.

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  auth_method = '';

select
  accessor_id,
  secret_id,
  auth_method,
  local,
  create_time,
  expiration_ttl
from
  consul_acl_token
where
  auth_method = '';

Schema for consul_acl_token

Name	Type	Operators	Description
_ctx	jsonb		Steampipe context in JSON form, e.g. connection_name.
accessor_id	text	=	The accessor ID of the acl token.
auth_method	text		The auth method of the acl token.
auth_method_namespace	text		The auth method namespace of the acl token.
create_index	bigint	=	Create index of the acl token.
create_time	timestamp with time zone		The creation time of the acl token.
description	text		The description of the acl token.
expiration_time	timestamp with time zone		The expiration time of the acl token.
expiration_ttl	text		The maximum life of the acl token.
hash	jsonb		The acl token hash.
local	boolean		Check whether the token is local or not.
modify_index	bigint		Modify index of the acl token.
namespace	text	=	The namespace of the acl token.
node_identities	jsonb		Node identities attached to the acl token.
partition	text		The partition of the acl token.
policies	jsonb		Policies attached to the acl token.
roles	jsonb		Roles attached to the acl token.
secret_id	text		The secret ID of the acl token.
service_identities	jsonb		Service identities attached to the acl token.
title	text		The title of the acl token.

Export

This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.

You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:

/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- consul

You can pass the configuration to the command with the --config argument:

steampipe_export_consul --config '<your_config>' consul_acl_token