ACL - Consul Vault configuration

I’m configuring a vault deployment for the first time, I’ve backed with two consul nodes as storage.

As following the tutorials, I’ve configured up ACL and the Consul servers seem happy.
My vault machine - Configured with a consul node as an agent, I’ve added an ACL to allow the vault application access (Vault with Consul Storage Deployment Guide | Vault - HashiCorp Learn)

My question concerns the acl write permission added to the consul servers, as per:Secure Consul with Access Control Lists (ACLs) | Consul - HashiCorp Learn

At present, consul on the vault instance has the “Coordinate update blocked by ACL” errors, due to this missing ACL.

Is this required on consul ‘agents’ as per the vault instance? Or do I have my vault instance mis-configured with needing this permission from consul?


Each Consul client agent should be provided a token that grants permission for the agent to register itself with the Consul servers and perform various internal operations.

You can separately create the tokens and the associated policies for each agent as instructed using the instructions from the tutorial, or you can use ACL node identities which allows you to create a token with the necessary policy rules using a single command. For example,

$ consul acl token create -node-identity=examplenode1:<dc_name>

The resulting token can then be configured for the agent using the consul acl set-agent-token command.