How do I create a read-only ACL for Consul so that Datadog can monitor it?

Question

I have a 3-node Consul setup. I've bootstrapped the ACL system as per their docs

I wish to monitor it with Datadog. The docs for Datadog's Consul integration do not call out the need for an ACL token, so Datadog agent gets this error when trying to access Consul:

403 Client Error: Forbidden for url: http://localhost:8500/v1/agent/self

I created a policy with the following rules: readonly-policy.hcl

agent "" {
  policy = "read"
}
key_prefix "" {
  policy = "read"
}
node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}

and then created a token for that policy, and added acl_token to the Datadog agent's Consul configuration like so:

init_config:
  service: consul

instances:
  ## @param url - string - required
  ## Where your Consul HTTP server lives,
  ## point the URL at the leader to get metrics about your Consul cluster.
  ## Use HTTPS instead of HTTP if your Consul setup is configured to do so.
  #
  - url: http://localhost:8500
    acl_token: REDACTED

logs:
  - type: file
    path: /var/log/consul_server.log
    source: consul
    service: consul

But I'm still encountering the error.

If I set acl_token to the bootstrap management token I created, it does work (Datadog can collect data from Consul), but I'd rather have Datadog using a more restricted token just in case.

What rule(s) am I missing?

Answer 1

This rule set appears to allow the necessary read operations.

agent_prefix "" {
  policy = "read"
}
operator_prefix "" {
  policy = "read"
}
key_prefix "" {
  policy = "read"
}
node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}
acl = "read"