Skip to content

Instantly share code, notes, and snippets.

Last active Jan 17, 2022
What would you like to do?
Consul OIDC Issue
  • Download Enterprise Consul: (we have tried 1.9.6 - 1.10.1) (make sure to get the +ent version) for your specific OS. We are testing on "darwin" (OSX) but the production environment will be linux.
  • Unzip into a "consul" working directory locally
  • Create a license.txt file with the consul enterprise license.
  • Create an empty data directory
  • Create a config.d directory with a single file (acl.hcl) with the following contents:
acl = {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
  • BOOTSTRAP consul with the following command (adjust as necessary, but it should work)
export CONSUL_LICENSE_PATH=./license.txt
./consul agent -server -ui \
  -bootstrap \
  -node localhost \
  -bind= \
  -data-dir=./data \
  • Bootstrap ACL: ./consul acl bootstrap (you may want to "save" this output)
  • Set environment variable with the secretID from the above output (example: export CONSUL_HTTP_TOKEN=b239d966-4f40-146c-1b13-3c60ec477d7b
  • Create an agent Policy in consul: ./consul acl policy create -name node_localhost -rules 'node "localhost" { policy = "write" } service_prefix "" { policy = "read" } '
  • Obtain agent token: ./consul acl token create -description "localhost agent token" -policy-name node_localhost
  • Assign the agent token to the agent: ./consul acl set-agent-token agent (SecretId from above command)
  • Optional: Note the "Coordinate update blocked" error messages should stop, and verify consul members looks somewhat like:
[tmcneely@local NEW]$ ./consul members
Node       Address         Status  Type    Build       Protocol  DC   Segment
localhost  alive   server  1.10.0+ent  2         dc1  <all>

(start of actual OIDC steps)

  • Create a read-only policy to consul: ./consul acl policy create -name read-only -rules 'service_prefix "" { policy="read" } node_prefix "" { policy="read" }'
  • Create a default-user role: ./consul acl role create -name default-user -policy-name read-only
  • Create OIDC Config file (easier than jamming it on the command line IMO), make sure to update the BoundAudiences, OIDCClientID and OIDCClientSecret to match the Google Cloud Console settings:
  "VerboseOIDCLogging": true,
  "OIDCScopes": [
  "AllowedRedirectURIs": [
  "BoundAudiences": [
  "ClaimMappings": {
    "email": "email",
    "name": "name"

  "OIDCClientID": "4856(CENSORED)",
  "OIDCClientSecret": "6J79(CENSORED)Stq",
  "OIDCDiscoveryURL": ""
  • Add OIDC config to consul: ./consul acl auth-method create -name google -type oidc -max-token-ttl 15m -config @google.json
  • Create role binding: ./consul acl binding-rule create -method=google -bind-type=role -bind-name=default-user

TEST: http://localhost:8500/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment