Install the ACL Controller

This topic describes how to manually deploy the ACL controller to automatically provision ACL tokens for Consul on ECS. If you are using Terraform, refer to the Terraform Secure Configuration page to deploy the ACL controller.

Prerequisites

  • Your application tasks must include certain tags to be compatible with the ACL controller. Refer to the Task Tags section of the installation page.
  • You should be familiar with configuring Consul’s secure features, including how to create ACL tokens and policies. Refer to the following Learn Guides for an introduction and the ACL system documentation for more information.

Set Up Secrets

The ACL controller supports managing secrets in AWS Secrets Manager.

Before deploying the ACL controller for the first time, you must create the following secrets from Consul in AWS Secrets Manager.

SecretInitial ValueSample Secret Name
Consul server CA certSetmy-consul-ca-cert
Bootstrap ACL TokenSetmy-consul-bootstrap-token
Consul Client ACL TokenEmpty<PREFIX>-consul-client-token

The secret for the client token must be intially empty. The ACL controller creates the client token in Consul and stores the token in Secrets Manager. In the secret name, <PREFIX> should be replaced with the secret name prefix of your choice.

Secret Name Prefix

The ACL controller requires that the secrets it reads and writes are named with a unique prefix. The name prefix is used in the Task Role Policy to limit the ACL controller’s access within AWS Secrets Manager to only those secrets strictly needed by the ACL controller.

The name prefix should be unique among secrets in your AWS account. We recommend using a short (8 character) random string for the prefix.

NOTE: If you are using the ACL controller with multiple ECS clusters, each cluster requires its own instance of the ACL controller, and each instance of the ACL controller should have a unique name prefix.

Task Definition

You must create a task definition to deploy the ACL controller in your ECS cluster. The ACL controller must run in the same ECS cluster hosting your service mesh application tasks.

The following example shows how the task definition should be configured for the ACL controller.

  1. {
  2.   "family": "my-consul-acl-controller",
  3.   "networkMode": "awsvpc",
  4.   "containerDefinitions": [
  5.     {
  6.       "name": "acl-controller",
  7.       "image": "public.ecr.aws/hashicorp/consul-ecs:<CONSUL_ECS_VERSION>",
  8.       "essential": true,
  9.       "command": [
  10.         "acl-controller",
  11.         "-consul-client-secret-arn", "arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-consul-client-token",
  12.         "-secret-name-prefix", "<PREFIX>",
  13.       ],
  14.       "secrets": [
  15.         {
  16.           "name": "CONSUL_HTTP_TOKEN",
  17.           "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-bootstrap-token"
  18.         },
  19.         {
  20.           "name": "CONSUL_CACERT_PEM",
  21.           "valueFrom": "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-ca-cert"
  22.         }
  23.       ],
  24.       "environment": [
  25.         {
  26.           "name": "CONSUL_HTTP_ADDR",
  27.           "value": "<Consul server HTTP API address>"
  28.         }
  29.       ]
  30.     }
  31.   ]
  32. }

You must include the following top-level fields.

Field nameTypeDescription
familystringThe task family name of your choice.
networkModestringMust be awsvpc, which is the only network mode supported by Consul on ECS.

In the containerDefinitions list, include one container with the following fields.

Field nameTypeDescription
namestringThe container name, which should be acl-controller
imagestringThe consul-ecs image. Use our public AWS registry, public.ecr.aws/hashicorp/consul-ecs, to avoid rate limits.
commandlistMust be set as shown. The startup command for the ACL controller.
essentialbooleanMust be true to ensure the health of your application container affects the health status of the task.
secretslistMust have CONSUL_HTTP_TOKEN set to the ACL bootstrap token and CONSUL_CACERT_PEM set to the Consul server CA certificate.
environmentstringMust set the CONSUL_HTTP_ADDR environment variable to the address of the HTTP API of your Consul servers.

The following CLI options are required in the command field of the container definition.

FlagTypeDescription
-consul-client-secret-arnstringThe secret where the ACL controller will store the Consul client token.
-secret-name-prefixstringThe secret name prefix that you chose for this ACL controller.

ECS Service

Once the task definition is created, define an ECS service in order to start an ACL controller task.

The following example contains the recommended settings for the ACL controller. Refer to the ECS service documentation to complete the remaining details for your use case.

  1. {
  2.    "cluster": "<Your ECS cluster ARN>"
  3.    "desiredCount": 1,
  4.    "launchType": "FARGATE",
  5.    "serviceName": "my-acl-controller",
  6.    "taskDefinition": "<task definition ARN>",
  7.    ...
  8. }
Field nameTypeDescription
clusterstringSet to your ECS cluster name or ARN. This must be the same ECS cluster where your service mesh applications run.
desiredCountintegerMust be 1. Only one instance of the ACL controller should run per ECS cluster.
launchTypestringConsul on ECS supports both the FARGATE and EC2 launch types.
serviceNamestringThe service name of your choice.
taskDefinitionstringMust be set to the ACL controller task definition.

AWS IAM Roles

The ECS task and execution roles must be configured to allow the ACL controller access to the ECS API and Secrets Manager API.

Task Role Policy

The following example shows the policy needed for the ECS task role for the ACL controller. This grants the ACL controller permission to list tasks, describe tasks, and read and update secrets.

  1. {
  2.   "Version": "2012-10-17",
  3.   "Statement": [
  4.     {
  5.       "Effect": "Allow",
  6.       "Action": [
  7.         "ecs:ListTasks",
  8.         "ecs:DescribeTasks"
  9.       ],
  10.       "Resource": ["*"]
  11.     },
  12.     {
  13.       "Effect": "Allow",
  14.       "Action": [
  15.         "secretsmanager:GetSecretValue",
  16.         "secretsmanager:UpdateSecret"
  17.       ],
  18.       "Resource": [
  19.         "arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-*"
  20.       ]
  21.     }
  22.   ]
  23. }

The following are the required permissions. You will need to substitute <PREFIX> with your chosen name prefix.

ActionResourceDescription
ecs:ListTasksAllow the ACL controller to watch for new tasks.
ecs:DescribeTasksAllow the ACL controller to retrieve details for new tasks.
secretsmanager:GetSecretValuearn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-Allow the ACL controller to read secrets with a name prefix.
secretsmanager:UpdateSecretarn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-Allow the ACL controller to store Consul ACL tokens in secrets with a name prefix.

Execution Role Policy

The following IAM policy document allows ECS to retrieve secrets needed to start the ACL controller task from AWS Secrets Manager, including the ACL bootstrap token.

The following example shows the policy needed for the execution role.

  1. {
  2.   "Version": "2012-10-17",
  3.   "Statement": [
  4.     {
  5.       "Effect": "Allow",
  6.       "Action": [
  7.         "secretsmanager:GetSecretValue"
  8.       ],
  9.       "Resource": [
  10.         "arn:aws:secretsmanager:us-west-2:000000000000:secret:my-consul-bootstrap-token",
  11.         "arn:aws:secretsmanager:us-west-2:000000000000:secret:<PREFIX>-consul-client-token"
  12.       ]
  13.     }
  14.   ]
  15. }