` |
+| service-defaults | `service:read` |
+| service-intentions | `intentions:read` |
+| service-resolver | `service:read` |
+| service-router | `service:read` |
+| service-splitter | `service:read` |
+| terminating-gateway | `service:read` |
## Usage
diff --git a/website/content/commands/config/write.mdx b/website/content/commands/config/write.mdx
index 5677a5db8..d577999b4 100644
--- a/website/content/commands/config/write.mdx
+++ b/website/content/commands/config/write.mdx
@@ -17,9 +17,25 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ----------------------------------- |
-| `service:write` or `operator:write` |
+| ACL Required1 |
+| ------------------------------------------------------------- |
+| `service:write`
`operator:write`
`intentions:write` |
+
+
+ 1 The actual ACL required depends on the config entry kind being
+ updated:
+
+
+| Config Entry Kind | Required ACL |
+| ------------------- | ------------------ |
+| ingress-gateway | `operator:write` |
+| proxy-defaults | `operator:write` |
+| service-defaults | `service:write` |
+| service-intentions | `intentions:write` |
+| service-resolver | `service:write` |
+| service-router | `service:write` |
+| service-splitter | `service:write` |
+| terminating-gateway | `operator:write` |
## Usage
diff --git a/website/content/commands/intention/check.mdx b/website/content/commands/intention/check.mdx
index 21cb33422..a8641b653 100644
--- a/website/content/commands/intention/check.mdx
+++ b/website/content/commands/intention/check.mdx
@@ -23,6 +23,23 @@ intention read permissions and don't evaluate the result.
defined as _deny_ intentions during evaluation, as this endpoint is only suited
for networking layer 4 (e.g. TCP) integration.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ----------------------------- |
+| `intentions:read`1 |
+
+
+ 1 Intention ACL rules are specified as part of a{' '}
+ service rule. See{' '}
+
+ Intention Management Permissions
+ {' '}
+ for more details.
+
+
## Usage
Usage: `consul intention check [options] SRC DST`
diff --git a/website/content/commands/intention/create.mdx b/website/content/commands/intention/create.mdx
index 505fbe970..37b70b92b 100644
--- a/website/content/commands/intention/create.mdx
+++ b/website/content/commands/intention/create.mdx
@@ -21,9 +21,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ------------------ |
-| `intentions:write` |
+| ACL Required |
+| ------------------------------ |
+| `intentions:write`1 |
+
+
+ 1 Intention ACL rules are specified as part of a{' '}
+ service rule. See{' '}
+
+ Intention Management Permissions
+ {' '}
+ for more details.
+
## Usage
diff --git a/website/content/commands/intention/delete.mdx b/website/content/commands/intention/delete.mdx
index 07f4a95fe..d2b58545e 100644
--- a/website/content/commands/intention/delete.mdx
+++ b/website/content/commands/intention/delete.mdx
@@ -7,7 +7,7 @@ page_title: 'Commands: Intention Delete'
Command: `consul intention delete`
-Corresponding HTTP API Endpoint: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name)
+Corresponding HTTP API Endpoints: [\[DELETE\] /v1/connect/intentions/exact](/api-docs/connect/intentions#delete-intention-by-name), [\[DELETE\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#delete-intention-by-id)
The `intention delete` command deletes a matching intention.
@@ -15,9 +15,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ------------------ |
-| `intentions:write` |
+| ACL Required |
+| ------------------------------ |
+| `intentions:write`1 |
+
+
+ 1 Intention ACL rules are specified as part of a{' '}
+ service rule. See{' '}
+
+ Intention Management Permissions
+ {' '}
+ for more details.
+
-> **Deprecated** - The one argument form of this command is deprecated in
Consul 1.9.0. Intentions no longer need IDs when represented as
diff --git a/website/content/commands/intention/get.mdx b/website/content/commands/intention/get.mdx
index 438358b66..b1252a1b4 100644
--- a/website/content/commands/intention/get.mdx
+++ b/website/content/commands/intention/get.mdx
@@ -7,7 +7,7 @@ page_title: 'Commands: Intention Get'
Command: `consul intention get`
-Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions##read-specific-intention-by-name)
+Corresponding HTTP API Endpoints: [\[GET\] /v1/connect/intentions/exact](/api-docs/connect/intentions#read-specific-intention-by-name), [\[GET\] /v1/connect/intentions/:uuid](/api-docs/connect/intentions#read-specific-intention-by-id)
The `intention get` command shows a single intention.
@@ -20,9 +20,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ----------------- |
-| `intentions:read` |
+| ACL Required |
+| ----------------------------- |
+| `intentions:read`1 |
+
+
+ 1 Intention ACL rules are specified as part of a{' '}
+ service rule. See{' '}
+
+ Intention Management Permissions
+ {' '}
+ for more details.
+
## Usage
diff --git a/website/content/commands/intention/list.mdx b/website/content/commands/intention/list.mdx
index e3d546877..03dd93248 100644
--- a/website/content/commands/intention/list.mdx
+++ b/website/content/commands/intention/list.mdx
@@ -11,6 +11,23 @@ Corresponding HTTP API Endpoint: [\[GET\] /v1/connect/intentions](/api-docs/conn
The `intention list` command shows all intentions including ID and precedence.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ----------------------------- |
+| `intentions:read`1 |
+
+
+ 1 Intention ACL rules are specified as part of a{' '}
+ service rule. See{' '}
+
+ Intention Management Permissions
+ {' '}
+ for more details.
+
+
## Usage
Usage:
diff --git a/website/content/commands/intention/match.mdx b/website/content/commands/intention/match.mdx
index ee587cb5c..49694551a 100644
--- a/website/content/commands/intention/match.mdx
+++ b/website/content/commands/intention/match.mdx
@@ -20,9 +20,18 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ----------------- |
-| `intentions:read` |
+| ACL Required |
+| ----------------------------- |
+| `intentions:read`1 |
+
+
+ 1 Intention ACL rules are specified as part of a{' '}
+ service rule. See{' '}
+
+ Intention Management Permissions
+ {' '}
+ for more details.
+
## Usage
diff --git a/website/content/commands/keyring.mdx b/website/content/commands/keyring.mdx
index 84283a05c..0d50260f9 100644
--- a/website/content/commands/keyring.mdx
+++ b/website/content/commands/keyring.mdx
@@ -29,6 +29,19 @@ All variations of the `keyring` command return 0 if all nodes reply and there
are no errors. If any node fails to reply or reports failure, the exit code
will be 1.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required1 |
+| ----------------------------------- |
+| `keyring:read`
`keyring:write` |
+
+
+ 1 The actual ACL required depends on the flags being used in the
+ command.
+
+
## Usage
Usage: `consul keyring [options]`
diff --git a/website/content/commands/kv/export.mdx b/website/content/commands/kv/export.mdx
index ce6f1e6bf..97f675966 100644
--- a/website/content/commands/kv/export.mdx
+++ b/website/content/commands/kv/export.mdx
@@ -12,6 +12,14 @@ prefix from Consul's KV store, and write a JSON representation to
stdout. This can be used with the command "consul kv import" to move entire
trees between Consul clusters.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:read` |
+
## Usage
Usage: `consul kv export [options] [PREFIX]`
diff --git a/website/content/commands/kv/import.mdx b/website/content/commands/kv/import.mdx
index 6c5f1f1ee..ab9acf229 100644
--- a/website/content/commands/kv/import.mdx
+++ b/website/content/commands/kv/import.mdx
@@ -10,6 +10,14 @@ Command: `consul kv import`
The `kv import` command is used to import KV pairs from the JSON representation
generated by the `kv export` command.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ------------ |
+| `key:write` |
+
## Usage
Usage: `consul kv import [options] [DATA]`
diff --git a/website/content/commands/namespace/list.mdx b/website/content/commands/namespace/list.mdx
index 037ef1369..1ce45328c 100644
--- a/website/content/commands/namespace/list.mdx
+++ b/website/content/commands/namespace/list.mdx
@@ -20,9 +20,12 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ------------------------------------- |
-| `operator:read` or `namespace:* read` |
+| ACL Required |
+| ------------------------------------------------- |
+| `operator:read` or `namespace:*:read`1 |
+
+1 Access can be granted to list the Namespace if the token used when making
+the request has been granted any access in the namespace (read, list or write).
## Usage
diff --git a/website/content/commands/namespace/read.mdx b/website/content/commands/namespace/read.mdx
index bf31cd228..b008977b7 100644
--- a/website/content/commands/namespace/read.mdx
+++ b/website/content/commands/namespace/read.mdx
@@ -19,9 +19,12 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ------------------------------------- |
-| `operator:read` or `namespace:* read` |
+| ACL Required |
+| ------------------------------------------------- |
+| `operator:read` or `namespace:*:read`1 |
+
+1 Access can be granted to list the Namespace if the token used when making
+the request has been granted any access in the namespace (read, list or write).
## Usage
diff --git a/website/content/commands/namespace/write.mdx b/website/content/commands/namespace/write.mdx
index f9e533f14..1fe3e5d69 100644
--- a/website/content/commands/namespace/write.mdx
+++ b/website/content/commands/namespace/write.mdx
@@ -13,6 +13,14 @@ Corresponding HTTP API Endpoint: [\[PUT\] /v1/namespace/:name](/api-docs/namespa
This `namespace write` command creates or updates a namespace's configuration from its full definition. This was added in Consul Enterprise 1.7.0.
+The table below shows this command's [required ACLs](/api#authentication). Configuration of
+[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
+are not supported from commands, but may be from the corresponding HTTP endpoint.
+
+| ACL Required |
+| ---------------- |
+| `operator:write` |
+
## Usage
Usage: `consul namespace write `
diff --git a/website/content/commands/rtt.mdx b/website/content/commands/rtt.mdx
index 926e08570..9eed062c9 100644
--- a/website/content/commands/rtt.mdx
+++ b/website/content/commands/rtt.mdx
@@ -21,9 +21,13 @@ The table below shows this command's [required ACLs](/api#authentication). Confi
[blocking queries](/api/features/blocking) and [agent caching](/api/features/caching)
are not supported from commands, but may be from the corresponding HTTP endpoint.
-| ACL Required |
-| ------------ |
-| `node:read` |
+| ACL Required |
+| ----------------------- |
+| `node:read`1 |
+
+
+ 1 When referencing WAN coordinates, no ACL permission is needed.
+
## Usage