open-nomad/website/content/docs/configuration/acl.mdx

---
layout: docs
page_title: acl Stanza - Agent Configuration
description: >-
  The "acl" stanza configures the Nomad agent to enable ACLs and tune various
  parameters.
---

# `acl` Stanza

<Placement groups={['acl']} />

The `acl` stanza configures the Nomad agent to enable ACLs and tunes various
ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure
Nomad with Access Control guide][secure-guide].

```hcl
acl {
  enabled = true
  token_ttl = "30s"
  policy_ttl = "60s"
}
```

## `acl` Parameters

- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
  ACL configuration options depend on this value. Note that the Nomad command
  line client will send requests for client endpoints such as `alloc exec`
  directly to Nomad clients whenever they are accessible. In this scenario, the
  client will enforce ACLs, so both servers and clients should have ACLs enabled.

- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
  cached ACL tokens. This does not affect servers, since they do not cache tokens.
  Setting this value lower reduces how stale a token can be, but increases
  the request load against servers. If a client cannot reach a server, for example
  because of an outage, the TTL will be ignored and the cached value used.

- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
  cached ACL policies. This does not affect servers, since they do not cache policies.
  Setting this value lower reduces how stale a policy can be, but increases
  the request load against servers. If a client cannot reach a server, for example
  because of an outage, the TTL will be ignored and the cached value used.

- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
  to use for replicating policies and tokens. This is used by servers in non-authoritative
  region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].

[secure-guide]: https://learn.hashicorp.com/collections/nomad/access-control
[authoritative-region]: /docs/configuration/server#authoritative_region
website: Document ACL APIs and configuration 2017-08-23 23:56:05 +00:00			`---`
new website :sparkles: 2020-02-06 23:45:31 +00:00			`layout: docs`
			`page_title: acl Stanza - Agent Configuration`
			`description: >-`
			`The "acl" stanza configures the Nomad agent to enable ACLs and tune various`
			`parameters.`
website: Document ACL APIs and configuration 2017-08-23 23:56:05 +00:00			`---`

			# `acl` Stanza

new website :sparkles: 2020-02-06 23:45:31 +00:00			`<Placement groups={['acl']} />`
website: Document ACL APIs and configuration 2017-08-23 23:56:05 +00:00
docs: add some links to the acl guide ACL APIs already have osme links, but the command and configuration pages did not. 2020-03-13 17:16:01 +00:00			The `acl` stanza configures the Nomad agent to enable ACLs and tunes various
			`ACL parameters. Learn more about configuring Nomad's ACL system in the [Secure`
			`Nomad with Access Control guide][secure-guide].`
website: Document ACL APIs and configuration 2017-08-23 23:56:05 +00:00
			```hcl
			`acl {`
			`enabled = true`
			`token_ttl = "30s"`
			`policy_ttl = "60s"`
			`}`
			```

			## `acl` Parameters

			- `enabled` `(bool: false)` - Specifies if ACL enforcement is enabled. All other
docs: note that clients need to have ACLs enabled (#11799) Client endpoints such as `alloc exec` are enforced on the client if the API client or CLI has "line of sight" to the client. This is already in the Learn guide but having it in the ACL configuration docs would be helpful. 2022-01-07 21:18:41 +00:00			`ACL configuration options depend on this value. Note that the Nomad command`
			line client will send requests for client endpoints such as `alloc exec`
			`directly to Nomad clients whenever they are accessible. In this scenario, the`
			`client will enforce ACLs, so both servers and clients should have ACLs enabled.`
website: Document ACL APIs and configuration 2017-08-23 23:56:05 +00:00
			- `token_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
			`cached ACL tokens. This does not affect servers, since they do not cache tokens.`
			`Setting this value lower reduces how stale a token can be, but increases`
			`the request load against servers. If a client cannot reach a server, for example`
			`because of an outage, the TTL will be ignored and the cached value used.`

			- `policy_ttl` `(string: "30s")` - Specifies the maximum time-to-live (TTL) for
			`cached ACL policies. This does not affect servers, since they do not cache policies.`
			`Setting this value lower reduces how stale a policy can be, but increases`
			`the request load against servers. If a client cannot reach a server, for example`
			`because of an outage, the TTL will be ignored and the cached value used.`

			- `replication_token` `(string: "")` - Specifies the Secret ID of the ACL token
			`to use for replicating policies and tokens. This is used by servers in non-authoritative`
[doc]Add replication_token link with authoritative_region replication_token always works together with authoritative_region, add a link for better doc. 2021-08-03 10:56:00 +00:00			`region to mirror the policies and tokens into the local region from [authoritative_region][authoritative-region].`
docs: add some links to the acl guide ACL APIs already have osme links, but the command and configuration pages did not. 2020-03-13 17:16:01 +00:00
[docs] Update redirects and links for learn.hashicorp.com (#8598) * Fix links to ACL guides * Managing Nomad guide links; links in jsx pages * job updates guide URLS * node-drain guide URLS * outage recovery guide links * fix guide links - sentinel * fix guide links - namespaces * fix guide links - quotas * fix guide links - autopilot * more guide links. * more guide links - continued. * Updating redirects for learn * Getting Started * Load Balancing Guides * update redirects for ui guide * Consolidate spark redirects to point to GH repo * operating job update part 1 * finish operating job links; operations guides links. * finish guide redirects * coalesce EOL redirects for spark guides. * one last link * Checked links and found a few more stray links * Found more .htmls * Fixup links for new HC websites * Post-merge fixups * linkcheck caught missing ids 2020-09-29 16:48:32 +00:00			`[secure-guide]: https://learn.hashicorp.com/collections/nomad/access-control`
[doc]Add replication_token link with authoritative_region replication_token always works together with authoritative_region, add a link for better doc. 2021-08-03 10:56:00 +00:00			`[authoritative-region]: /docs/configuration/server#authoritative_region`