Add ACL info to Consul configuration page

2017-06-19 19:39:52 -04:00 · 2017-06-19 19:39:52 -04:00 · 8f1f9d5522
parent 5817a8a5f8
commit 8f1f9d5522
1 changed files with 38 additions and 1 deletions
--- a/website/source/docs/configuration/storage/consul.html.md
+++ b/website/source/docs/configuration/storage/consul.html.md
@ -88,7 +88,7 @@ at Consul's service discovery layer.

 - `token` `(string: "")` – Specifies the [Consul ACL token][consul-acl] with
  permission to read and write from the `path` in Consul's key-value store.
-  This is **not** a Vault token.
+  This is **not** a Vault token. See the ACL section below for help.

 The following settings apply when communicating with Consul via an encrypted
 connection. You can read more about encrypting Consul connections on the
@ -133,6 +133,43 @@ discussed in more detail in the [HA concepts page](/docs/concepts/ha.html).
  advertise to other Vault servers in the cluster for client redirection. This
  can also be provided via the environment variable `VAULT_REDIRECT_ADDR`.

+## ACLs
+
+If using ACLs in Consul, you'll need appropriate permissions. For Consul 0.8,
+the following will work for most use-cases, assuming that your service name is
+`vault` and the prefix being used is `vault/`:
+
+```json
+{
+  "key": {
+    "vault/": {
+      "policy": "write"
+    }
+  },
+  "node": {
+    "": {
+      "policy": "write"
+    }
+  },
+  "service": {
+    "vault": {
+      "policy": "write"
+    }
+  },
+  "agent": {
+    "": {
+      "policy": "write"
+    }
+
+  },
+  "session": {
+    "": {
+      "policy": "write"
+    }
+  }
+}
+```
+
 ## `consul` Examples

 ### Local Agent