open-consul/website/content/commands/intention/index.mdx

---
layout: commands
page_title: 'Commands: Intention'
description: >-
  The `consul intention` command interacts with service intentions to secure service mesh traffic. It exposes top-level commands for interacting with intentions. It was deprecated in Consul v1.9.0. To interact with intentions, use `consul config` instead.
---

# Consul Intention

Command: `consul intention`

The `intention` command is used to interact with Connect
[intentions](/consul/docs/connect/intentions). It exposes commands for
creating, updating, reading, deleting, checking, and managing intentions.
This command is available in Consul 1.2 and later.

Intentions are managed primarily via
[`service-intentions`](/consul/docs/connect/config-entries/service-intentions) config
entries after Consul 1.9. Intentions may also be managed via the [HTTP
API](/consul/api-docs/connect/intentions).

~> **Deprecated** - This command is deprecated in Consul 1.9.0 in favor of
using the [config entry CLI command](/consul/commands/config/write). To create an
intention, create or modify a
[`service-intentions`](/consul/docs/connect/config-entries/service-intentions) config
entry for the destination.

## Usage

Usage: `consul intention <subcommand>`

For the exact documentation for your Consul version, run `consul intention -h`
to view the complete list of subcommands.

```text
Usage: consul intention <subcommand> [options] [args]

  ...

Subcommands:
    check     Check whether a connection between two services is allowed.
    create    Create intentions for service connections.
    delete    Delete an intention.
    list      Lists all intentions.
    get       Show information about an intention.
    match     Show intentions that match a source or destination.
```

For more information, examples, and usage about a subcommand, click on the name
of the subcommand in the sidebar.

## Basic Examples

Create an intention to allow "web" to talk to "db":

```shell-session
$ consul intention create web db
```

Create an intention to deny "db" from initiating connections to _any_ service:

```shell-session
$ consul intention create -deny db '*'
Created: db => * (deny)
```

Test whether a "web" is allowed to connect to "db":

```shell-session
$ consul intention check web db
```

List all intentions:

```shell-session
$ consul intention list
```

Find all intentions for communicating to the "db" service:

```shell-session
$ consul intention match db
```

## Source and Destination Naming

Intention commands commonly take positional arguments referred to as `SRC` and
`DST` in the command documentation. These can take several forms:

| Format                              | Meaning                                                                                       |
| ----------------------------------- | --------------------------------------------------------------------------------------------- |
| `<service>`                         | the named service in the current namespace                                                    |
| `*`                                 | any service in the current namespace                                                          |
| `<namespace>/<service>`             | <EnterpriseAlert inline /> the named service in a specific namespace in the default partition |
| `<namespace>/*`                     | <EnterpriseAlert inline /> any service in the specified namespace in the default partition    |
| `*/*`                               | <EnterpriseAlert inline /> any service in any namespace in the default partition              |
| `<partition>/<namespace>/<service>` | <EnterpriseAlert inline /> the named service in a specific namespace                          |
| `<partition>/<namespace>/*`         | <EnterpriseAlert inline /> any service in the specified namespace in a specific partition     |
| `<partition>/*/*`                   | <EnterpriseAlert inline /> any service in any namespace in the  a specific  partition         |
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`
docs: update structure (#8506) - moved and renamed files/folders based on new structure - updated docs navigation based on new structure - moved CLI to top nav (created commands.jsx and commands-navigation.js) - updated and added redirects - updating to be consistent with standalone categories - changing "overview" link in top nav to lead to where intro was moved (docs/intro) - adding redirects for intro content - deleting old intro folders - format all data/navigation files - deleting old commands folder - reverting changes to glossary page - adjust intro navigation for removal of 'vs' paths - add helm page redirect - fix more redirects - add a missing redirect - fix broken anchor links and formatting mistakes - deleted duplicate section, added redirect, changed link - removed duplicate glossary page 2020-09-01 15:14:13 +00:00			`layout: commands`
initial 2020-04-06 20:27:35 +00:00			`page_title: 'Commands: Intention'`
docs: CLI page descriptions for automated checker (#16056) * ACL * ACL * Catalog * consul config * consul connect * top-level updates * consul intention * consul kv * consul namespace * consul peering * consul peering delete * consul services * consul snapshot * consul tls * consul acl auth-method * acl binding-rule * acl policy * acl role * acl token * fix * standardization * Update website/content/commands/snapshot/save.mdx Co-authored-by: Bryce Kalow <bkalow@hashicorp.com> * consul debug consul keyring Co-authored-by: Bryce Kalow <bkalow@hashicorp.com> Co-authored-by: Tu Nguyen <im2nguyen@users.noreply.github.com> 2023-01-26 18:42:13 +00:00			`description: >-`
			The `consul intention` command interacts with service intentions to secure service mesh traffic. It exposes top-level commands for interacting with intentions. It was deprecated in Consul v1.9.0. To interact with intentions, use `consul config` instead.
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`---`

			`# Consul Intention`

			Command: `consul intention`

			The `intention` command is used to interact with Connect
docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`[intentions](/consul/docs/connect/intentions). It exposes commands for`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`creating, updating, reading, deleting, checking, and managing intentions.`
			`This command is available in Consul 1.2 and later.`

docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`Intentions are managed primarily via`
docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			[`service-intentions`](/consul/docs/connect/config-entries/service-intentions) config
docs: all intention documentation updates (#8869) 2020-10-14 15:23:05 +00:00			`entries after Consul 1.9. Intentions may also be managed via the [HTTP`
docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`API](/consul/api-docs/connect/intentions).`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
docs: added deprecation message to CLI command intentions overview page 2021-10-21 17:29:23 +00:00			`~> Deprecated - This command is deprecated in Consul 1.9.0 in favor of`
docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			`using the [config entry CLI command](/consul/commands/config/write). To create an`
docs: added deprecation message to CLI command intentions overview page 2021-10-21 17:29:23 +00:00			`intention, create or modify a`
docs: Migrate link formats (#15976) * Adding check-legacy-links-format workflow * Adding test-link-rewrites workflow * Updating docs-content-check-legacy-links-format hash * Migrating links to new format Co-authored-by: Kendall Strautman <kendallstrautman@gmail.com> 2023-01-25 16:52:43 +00:00			[`service-intentions`](/consul/docs/connect/config-entries/service-intentions) config
docs: added deprecation message to CLI command intentions overview page 2021-10-21 17:29:23 +00:00			`entry for the destination.`

Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`## Usage`

			Usage: `consul intention <subcommand>`

cli: Add consul intention list command (based on PR #6825) (#9468) This PR is based on the previous work by @snuggie12 in PR #6825. It adds the command consul intention list to list all available intentions. The list functionality for intentions seems a bit overdue as it's just very handy. The web UI cannot list intentions outside of the default namespace, and using the API is sometimes not the friendliest option. ;) I cherry picked snuggie12's commits who did most of the heavy lifting (thanks again @snuggie12 for your great work!). The changes in the original commit mostly still worked on the current HEAD. On top of that I added support for namespaces and fixed the docs as they are managed differently today. Also the requested changes related to the "Connect" references in the original PRs have been addressed. Fixes #5652 Co-authored-by: Matt Hoey <mhoey05@jcu.edu> 2021-01-12 20:14:31 +00:00			For the exact documentation for your Consul version, run `consul intention -h`
			`to view the complete list of subcommands.`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
			```text
			`Usage: consul intention <subcommand> [options] [args]`

			`...`

			`Subcommands:`
			`check Check whether a connection between two services is allowed.`
			`create Create intentions for service connections.`
			`delete Delete an intention.`
cli: Add consul intention list command (based on PR #6825) (#9468) This PR is based on the previous work by @snuggie12 in PR #6825. It adds the command consul intention list to list all available intentions. The list functionality for intentions seems a bit overdue as it's just very handy. The web UI cannot list intentions outside of the default namespace, and using the API is sometimes not the friendliest option. ;) I cherry picked snuggie12's commits who did most of the heavy lifting (thanks again @snuggie12 for your great work!). The changes in the original commit mostly still worked on the current HEAD. On top of that I added support for namespaces and fixed the docs as they are managed differently today. Also the requested changes related to the "Connect" references in the original PRs have been addressed. Fixes #5652 Co-authored-by: Matt Hoey <mhoey05@jcu.edu> 2021-01-12 20:14:31 +00:00			`list Lists all intentions.`
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`get Show information about an intention.`
			`match Show intentions that match a source or destination.`
			```

			`For more information, examples, and usage about a subcommand, click on the name`
			`of the subcommand in the sidebar.`

			`## Basic Examples`

			`Create an intention to allow "web" to talk to "db":`

update dependencies 2020-05-19 18:32:38 +00:00			```shell-session
docs rendering 2020-04-07 23:56:08 +00:00			`$ consul intention create web db`
			```
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
Ingress and Terminating Gateway docs (#7710) This PR contains documentation additions for ingress and terminating gateways. New pages for the config-entries and overall feature description were added, as well as various additions to related pages. Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com> Co-authored-by: freddygv <gh@freddygv.xyz> Co-authored-by: Freddy <freddygv@users.noreply.github.com> Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> 2020-05-13 21:29:40 +00:00			`Create an intention to deny "db" from initiating connections to _any_ service:`

update dependencies 2020-05-19 18:32:38 +00:00			```shell-session
Ingress and Terminating Gateway docs (#7710) This PR contains documentation additions for ingress and terminating gateways. New pages for the config-entries and overall feature description were added, as well as various additions to related pages. Co-authored-by: Jono Sosulska <42216911+jsosulska@users.noreply.github.com> Co-authored-by: freddygv <gh@freddygv.xyz> Co-authored-by: Freddy <freddygv@users.noreply.github.com> Co-authored-by: kaitlincarter-hc <43049322+kaitlincarter-hc@users.noreply.github.com> 2020-05-13 21:29:40 +00:00			`$ consul intention create -deny db '*'`
			`Created: db => * (deny)`
			```

Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`Test whether a "web" is allowed to connect to "db":`

update dependencies 2020-05-19 18:32:38 +00:00			```shell-session
docs rendering 2020-04-07 23:56:08 +00:00			`$ consul intention check web db`
			```
Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00
cli: Add consul intention list command (based on PR #6825) (#9468) This PR is based on the previous work by @snuggie12 in PR #6825. It adds the command consul intention list to list all available intentions. The list functionality for intentions seems a bit overdue as it's just very handy. The web UI cannot list intentions outside of the default namespace, and using the API is sometimes not the friendliest option. ;) I cherry picked snuggie12's commits who did most of the heavy lifting (thanks again @snuggie12 for your great work!). The changes in the original commit mostly still worked on the current HEAD. On top of that I added support for namespaces and fixed the docs as they are managed differently today. Also the requested changes related to the "Connect" references in the original PRs have been addressed. Fixes #5652 Co-authored-by: Matt Hoey <mhoey05@jcu.edu> 2021-01-12 20:14:31 +00:00			`List all intentions:`

			```shell-session
			`$ consul intention list`
			```

Starting Docs (#46) * website: first stab at Connect docs * website: lots more various stuff (bad commit messages) * website: getting started page for Connect * website: intentions * website: intention APIs * website: agent API docs * website: document agent/catalog proxy kind service values * website: /v1/catalog/connect/:service * website: intention CLI docs * website: custom proxy docs * website: remove dedicated getting started guide * website: add docs for CA API endpoints * website: add docs for connect ca commands * website: add proxy CLI docs * website: clean up proxy command, add dev docs * website: todo pages * website: connect security 2018-05-29 21:07:40 +00:00			`Find all intentions for communicating to the "db" service:`

update dependencies 2020-05-19 18:32:38 +00:00			```shell-session
docs rendering 2020-04-07 23:56:08 +00:00			`$ consul intention match db`
			```
connect: various changes to make namespaces for intentions work more like for other subsystems (#8194) Highlights: - add new endpoint to query for intentions by exact match - using this endpoint from the CLI instead of the dump+filter approach - enforcing that OSS can only read/write intentions with a SourceNS or DestinationNS field of "default". - preexisting OSS intentions with now-invalid namespace fields will delete those intentions on initial election or for wildcard namespaces an attempt will be made to downgrade them to "default" unless one exists. - also allow the '-namespace' CLI arg on all of the intention subcommands - update lots of docs 2020-06-26 21:59:15 +00:00
			`## Source and Destination Naming`

			Intention commands commonly take positional arguments referred to as `SRC` and
			`DST` in the command documentation. These can take several forms:

Website fixups for admin partitions (#11842) * Website fixups for admin partitions Signed-off-by: Mark Anderson <manderson@hashicorp.com> 2021-12-15 01:55:21 +00:00			`\| Format \| Meaning \|`
			`\| ----------------------------------- \| --------------------------------------------------------------------------------------------- \|`
			\| `<service>` \| the named service in the current namespace \|
			\| `*` \| any service in the current namespace \|
			\| `<namespace>/<service>` \| <EnterpriseAlert inline /> the named service in a specific namespace in the default partition \|
			\| `<namespace>/*` \| <EnterpriseAlert inline /> any service in the specified namespace in the default partition \|
			\| `/` \| <EnterpriseAlert inline /> any service in any namespace in the default partition \|
			\| `<partition>/<namespace>/<service>` \| <EnterpriseAlert inline /> the named service in a specific namespace \|
			\| `<partition>/<namespace>/*` \| <EnterpriseAlert inline /> any service in the specified namespace in a specific partition \|
			\| `<partition>//` \| <EnterpriseAlert inline /> any service in any namespace in the a specific partition \|