From 2538c28cc7291b735fb48ecf8d15fc397c36969a Mon Sep 17 00:00:00 2001
From: Ranjandas <thejranjan@gmail.com>
Date: Tue, 23 Mar 2021 15:51:56 +1100
Subject: [PATCH] Document agent token policy requirement for rexec

The Agent token policy when using rexec should have `write` on "_rexec"
key prefix. Updated the exec command documentation to explicitly state
this requirement.
---
 website/content/commands/exec.mdx | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/website/content/commands/exec.mdx b/website/content/commands/exec.mdx
index 33253f518..ca793daa0 100644
--- a/website/content/commands/exec.mdx
+++ b/website/content/commands/exec.mdx
@@ -41,6 +41,8 @@ execute this command.
 | `key:write`     | `"_rexec"` prefix |
 | `event:write`   | `"_rexec"` prefix |
 
+In addition to the above, the policy associated with the [agent token](https://www.consul.io/docs/security/acl/acl-system#acl-agent-token) should have `write` on `"_rexec"` key prefix. This is for the agents to read the `exec` command and write its output back to the KV store.
+
 ## Usage
 
 Usage: `consul exec [options] [-|command...]`