consul.api.acl package

Submodules

Module contents

class consul.api.acl.AclLoginResult[source]

Bases: TypedDict

AccessorID: str
SecretID: str
Description: str
Roles: list[dict[str, str]]
ServiceIdentities: list[dict[str, Any]]
Local: bool
AuthMethod: str
CreateTime: str
Hash: str
CreateIndex: int
ModifyIndex: int
class consul.api.acl.ACL(agent)[source]

Bases: object

bootstrap(bootstrap_secret=None)[source]

Performs a one-time bootstrap of the ACL system, creating the initial management token. Only succeeds once per cluster; fails with ACLPermissionDenied if already bootstrapped. Requires no token. :param bootstrap_secret: Optional pre-generated SecretID for the bootstrap token

(supported on newer Consul versions; omit to let Consul generate one).

Returns:

The bootstrap (initial management) token information

Parameters:

bootstrap_secret (str | None)

Return type:

AclToken

login(auth_method, bearer_token, meta=None)[source]

Exchanges an auth method bearer token for a newly-created Consul ACL token. Requires no token; the bearer token itself is validated against auth_method. :param auth_method: The name of the auth method to authenticate against. :param bearer_token: The bearer token to present to the auth method (e.g. a Kubernetes

service account token or a signed JWT).

Parameters:
  • meta (dict[str, str] | None) – Optional key/value metadata to link to the created token.

  • auth_method (str)

  • bearer_token (str)

Returns:

The newly-created token information

Return type:

AclLoginResult

logout(token)[source]

Destroys a token created via login(). Requires no privileges beyond possessing token itself. :param token: The secret ID of the token to destroy (not the client’s default token). :return: True if the token was destroyed

Parameters:

token (str)

Return type:

bool