HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Cluster access permissions

Warning

HashiCorp will deprecate HCP Consul Central on November 6, 2024. Learn more.

This page explains concepts associated with the read/write permissions granted to Consul by the global-management-token when linking a self-managed Community or Enterprise cluster to HCP Consul Central. The page also summarizes the differences between using self-managed Community and Enterprise clusters linked to HCP Consul Central with read/write or read-only access, and provides details about Consul ACL policies that provide these access permissions.

Background

When you link a self-managed Consul cluster with HCP Consul Central, HashiCorp's hosted management plane service, your cluster uses an ACL token to grant access. The management plane stores this token in a dedicated Vault environment for your organization and uses it to access your self-managed Community or Enterprise cluster when providing observability and lifecycle management operations through dashboards in the HCP portal.

During the cluster linking process, HCP Consul Central prompts you to choose between granting HCP Consul Central read/write or read-only access to your cluster. Your decision determines the ACL policy attached to the token that HCP Consul Central uses to access your self-managed Community or Enterprise cluster. You can change a cluster's read-only permissions to read/write using HCP Consul Central. However, to convert a read/write cluster to read-only, you must unlink the cluster from HCP Consul Central and then re-link it. For details on this process, refer to Manage HCP Consul Central's cluster access permissions.

For more information about HCP Consul Central and the benefits it provides, refer to HCP Consul Central. For more information about how the linking process works, refer to Link self-managed Community and Enterprise clusters with HCP Consul Central overview.

Permission comparison

The following table describes the differences in HCP Consul Central features that are available for self-managed Community and Enterprise clusters when linked with read/write permissions and read-only permissions.

Permission levelConsul Central UI ViewConsul Central UI OperationsObservability dashboardsCluster peering workflowVersion upgradesEditable permissions while linked
Read/write
Read-only

ACL policy comparison

Clusters with read/write access permissions use a token with the global-management policy attached it. This policy, which is also attached to the ACL bootstrap token, contains write permissions for your entire cluster.

Clusters with read-only access permissions use a token with the builtin/global-read-only policy attached it. This policy contains the following ACL rules:

mesh = "read"
peering = "read"
operator = "read"

agent_prefix "" {
  policy = "read"
}

node_prefix "" {
  policy = "read"
}

service_prefix "" {
  policy = "read"
}

For more information about the ACL system and the access it provides, refer to Access Control List (ACL) Overview in the Consul documentation.