alpacon token acl
The acl command allows you to configure access control for API tokens, specifying which commands can be executed by each token. It supports creating, listing, and modifying ACL rules to fine-tune command execution permissions based on your security requirements.
alpacon token acl [flags]
alpacon token acl [command]Options
-h, --help help for aclHow ACLs work
Token ACLs control which shell commands can be executed on remote servers when passing commands directly (e.g., alpacon websh my-server "command") or via exec. Each ACL rule specifies a command pattern that the token is allowed to run. Interactive websh sessions are not restricted by command ACLs.
# Allow a specific command (exact match)
alpacon token acl add --token=my-token --command="whoami"
# Allow a command with any arguments (wildcard)
alpacon token acl add --token=my-token --command="systemctl status *"
# Allow npm with any subcommand and arguments
alpacon token acl add --token=my-token --command="npm *"For example, to run
alpacon websh my-server "pm2 restart app", the token needs an ACL rule forpm2 restart *.
Wildcard patterns
Use * as a wildcard to match any arguments:
| ACL rule | Matches | Does not match |
|---|---|---|
whoami | whoami (exact) | whoami --help |
echo * | echo "hello", echo foo bar | — |
systemctl status * | systemctl status nginx, systemctl status app | systemctl restart nginx |
docker compose * | docker compose up -d, docker compose ps | docker run nginx |
Without a wildcard, the ACL only matches the exact command string. Add * to allow variable arguments.
Examples
List all ACLs for a token:
alpacon token acl ls my-tokenAdd a new ACL rule:
alpacon token acl add --token=my-token --command="systemctl restart *"Delete an ACL rule:
alpacon token acl delete 42