Developing and Debugging Connect Services

    Restricting access to services only via Connect ensures that the only way to connect to a service is through valid authorization of the intentions. This can extend to developers and operators, too.

    1.   -service operator-mitchellh \
    2.   -upstream postgresql:8181

    This works because the source -service does not need to be registered in the local Consul catalog. However, to retrieve a valid identifying certificate, the ACL token must have permissions. This can be used as a sort of “debug service” to represent people, too. In the example above, the proxy is identifying as operator-mitchellh.

    1. >

    This psql session is now happening through our local proxy via an authorized mutual TLS connection to the PostgreSQL service in our Consul catalog.

    For example, if you have an ACL token that allows service:write for web and you want to connect to the postgresql service as “web”, you can start a proxy like so:

    1. $ consul connect proxy \