»ACL Binding Rule HTTP API
1.5.0+: The binding rule APIs are available in Consul versions 1.5.0 and newer.
The /acl/binding-rule endpoints create,
read, update,
list and delete ACL binding
rules in Consul.
For more information on how to setup ACLs, please check the ACL tutorial.
»Create a Binding Rule
This endpoint creates a new ACL binding rule.
| Method | Path | Produces |
|---|---|---|
PUT | /acl/binding-rule | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|---|---|---|---|
NO | none | none | acl:write |
The corresponding CLI command is consul acl binding-rule create.
»Parameters
Description(string: "")- Free form human readable description of the binding rule.AuthMethod(string: <required>)- The name of the auth method that this rule applies to. This field is immutable.Selector(string: "")- Specifies the expression used to match this rule against valid identities returned from an auth method validation. If empty this binding rule matches all valid identities returned from the auth method. For example:BindType(string: <required>)- Specifies the way the binding rule affects a token created at login.BindType=service- The computed bind name value is used as anACLServiceIdentity.ServiceNamefield in the token that is created.BindType=node- The computed bind name value is used as anACLNodeIdentity.NodeNamefield in the token that is created.BindType=role- The computed bind name value is used as aRoleLink.Namefield in the token that is created. This binding rule will only apply if a role with the given name exists at login-time. If it does not then this rule is ignored.
BindName(string: <required>)- The name to bind to a token at login-time. What it binds to can be adjusted with different values of theBindTypefield. This can either be a plain string or lightly templated using HIL syntax to interpolate the same values that are usable by theSelectorsyntax. For example:Namespace(string: "")Enterprise- Specifies the namespace to create the binding rule. If not provided in the JSON body, the value of thensURL query parameter or in theX-Consul-Namespaceheader will be used. If not provided, the namespace will be inherited from the request's ACL token or will default to thedefaultnamespace. Added in Consul 1.7.0.
»Sample Payload
»Sample Request
»Sample Response
»Read a Binding Rule
This endpoint reads an ACL binding rule with the given ID. If no binding rule exists with the given ID, a 404 is returned instead of a 200 response.
| Method | Path | Produces |
|---|---|---|
GET | /acl/binding-rule/:id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|---|---|---|---|
YES | all | none | acl:read |
The corresponding CLI command is consul acl binding-rule read.
»Parameters
id(string: <required>)- Specifies the UUID of the ACL binding rule to read. This is required and is specified as part of the URL path.ns(string: "")Enterprise- Specifies the namespace to lookup the binding rule. This value can be specified as thensURL query parameter or theX-Consul-Namespaceheader. If not provided by either, the namespace will be inherited from the request's ACL token or will default to thedefaultnamespace. Added in Consul 1.7.0.
»Sample Request
»Sample Response
»Update a Binding Rule
This endpoint updates an existing ACL binding rule.
| Method | Path | Produces |
|---|---|---|
PUT | /acl/binding-rule/:id | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|---|---|---|---|
NO | none | none | acl:write |
The corresponding CLI command is consul acl binding-rule update.
»Parameters
ID(string: <required>)- Specifies the ID of the binding rule to update. This is required in the URL path but may also be specified in the JSON body. If specified in both places then they must match exactly.Description(string: "")- Free form human readable description of the binding rule.AuthMethod(string: <required>)- Specifies the name of the auth method that this rule applies to. This field is immutable so if present in the body then it must match the existing value. If not present then the value will be filled in by Consul.Selector(string: "")- Specifies the expression used to match this rule against valid identities returned from an auth method validation. If empty this binding rule matches all valid identities returned from the auth method. For example:BindType(string: <required>)- Specifies the way the binding rule affects a token created at login.BindType=service- The computed bind name value is used as anACLServiceIdentity.ServiceNamefield in the token that is created.BindType=node- The computed bind name value is used as anACLNodeIdentity.NodeNamefield in the token that is created.BindType=role- The computed bind name value is used as aRoleLink.Namefield in the token that is created. This binding rule will only apply if a role with the given name exists at login-time. If it does not then this rule is ignored.
BindName(string: <required>)- The name to bind to a token at login-time. What it binds to can be adjusted with different values of theBindTypefield. This can either be a plain string or lightly templated using HIL syntax to interpolate the same values that are usable by theSelectorsyntax. For example:Namespace(string: "")Enterprise- Specifies the namespace of the binding rule to update. If not provided in the JSON body, the value of thensURL query parameter or in theX-Consul-Namespaceheader will be used. If not provided, the namespace will be inherited from the request's ACL token or will default to thedefaultnamespace. Added in Consul 1.7.0.
»Sample Payload
»Sample Request
»Sample Response
»Delete a Binding Rule
This endpoint deletes an ACL binding rule.
| Method | Path | Produces |
|---|---|---|
DELETE | /acl/binding-rule/:id | application/json |
Even though the return type is application/json, the value is either true or false indicating whether the delete succeeded.
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|---|---|---|---|
NO | none | none | acl:write |
The corresponding CLI command is consul acl binding-rule delete.
»Parameters
id(string: <required>)- Specifies the UUID of the ACL binding rule to delete. This is required and is specified as part of the URL path.ns(string: "")Enterprise- Specifies the namespace of the binding rule to delete. This value can be specified as thensURL query parameter or theX-Consul-Namespaceheader. If not provided by either, the namespace will be inherited from the request's ACL token or will default to thedefaultnamespace. Added in Consul 1.7.0.
»Sample Request
»Sample Response
»List Binding Rules
This endpoint lists all the ACL binding rules.
| Method | Path | Produces |
|---|---|---|
GET | /acl/binding-rules | application/json |
The table below shows this endpoint's support for blocking queries, consistency modes, agent caching, and required ACLs.
| Blocking Queries | Consistency Modes | Agent Caching | ACL Required |
|---|---|---|---|
YES | all | none | acl:read |
The corresponding CLI command is consul acl binding-rule list.
»Parameters
authmethod(string: "")- Filters the binding rule list to those binding rules that are linked with the specific named auth method.ns(string: "")Enterprise- Specifies the namespace to list the binding rules for. This value can be specified as thensURL query parameter or theX-Consul-Namespaceheader. If not provided by either, the namespace will be inherited from the request's ACL token or will default to thedefaultnamespace. The namespace may be specified as '*' and then results will be returned for all namespaces. Added in Consul 1.7.0.
»Sample Request
»Sample Response
