Save 10-15% Register for HashiConf and save big when you buy 2+ tickets Get your passes
Nomad
Nomad Home

acl Block in Agent Configuration

Placementacl

This page provides reference information for configuring Nomad's Access Control List (ACL) system behavior in the acl block of a Nomad agent configuration. Enable ACL enforcement, change token replication and expiration values, and tune the cache for token, role, and policy TTLs.

Learn more about configuring Nomad's ACL system in the Secure Nomad with Access Control guide.

acl {
  enabled    = true
  token_ttl  = "30s"
  policy_ttl = "60s"
  role_ttl   = "60s"
}

acl Parameters

  • enabled (bool: false) - Specifies if ACL enforcement is enabled. All other ACL configuration options depend on this value. All agents should have the same value for this parameter. For example the Nomad command line will send requests for client endpoints such as alloc exec directly to Nomad clients whenever they are accessible. In this scenario, the client will enforce ACLs, so both servers and clients should have ACLs enabled.

  • token_ttl (string: "30s") - Specifies the maximum time-to-live (TTL) for cached ACL tokens. This does not affect servers, since they do not cache tokens. Setting this value lower reduces how stale a token can be, but increases the request load against servers. If a client cannot reach a server, for example because of an outage, the TTL will be ignored and the cached value used.

  • policy_ttl (string: "30s") - Specifies the maximum time-to-live (TTL) for cached ACL policies. This does not affect servers, since they do not cache policies. Setting this value lower reduces how stale a policy can be, but increases the request load against servers. If a client cannot reach a server, for example because of an outage, the TTL will be ignored and the cached value used.

  • role_ttl (string: "30s") - Specifies the maximum time-to-live (TTL) for cached ACL roles. This does not affect servers, since they do not cache roles. Setting this value lower reduces how stale a role can be, but increases the request load against servers. If a client cannot reach a server, for example because of an outage, the TTL will be ignored and the cached value used.

  • replication_token (string: "") - Specifies the Secret ID of the ACL token to use for replicating policies and tokens. This is used by servers in non-authoritative region to mirror the policies and tokens into the local region from the authoritative_region. Setting replication_token requires that ACLs have been bootstrapped in the authoritative region. Refer to Configure for multiple regions in the ACLs tutorial.

  • token_min_expiration_ttl (string: "1m") - Specifies the lowest acceptable TTL value for an ACL token when setting expiration. This is used by the Nomad servers to validate ACL tokens and ACL authentication methods.

  • token_max_expiration_ttl (string: "24h") - Specifies the highest acceptable TTL value for an ACL token when setting expiration. This is used by the Nomad servers to validate ACL tokens and ACL authentication methods.

Edit this page on GitHub