Hello,
I could use some help with acl’s. I’m unable to create the initial bootstrap token, I attempted to do this directly on the lead server, and I’m following the docs from here: https://learn.hashicorp.com/tutorials/consul/access-control-setup-production
The error: Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: rpc error making call: ACL bootstrap no longer allowed (reset index: 16))
I found an old issue with a workaround here, but it was unsuccessful: https://github.com/hashicorp/consul/issues/5331
This is my global config: – I’m using the latest Helm chart…
lobal:
enabled: true
name: consul
datacenter: dc1
image: ‘consul:1.8.4’
imageEnvoy: envoyproxy/envoy-alpine:v1.14.2
tls:
enabled: true
enableAutoEncrypt: true
httpsOnly: true
verify: true
caCert:
secretName: consul-ca-cert
secretKey: tls.crt
caKey:
secretName: consul-ca-key
secretKey: tls.key
gossipEncryption:
secretName: consul-gossip-encryption-key
secretKey: key
acls:
manageSystemACLs: true
What am I missing?
jlj7
December 4, 2020, 7:50am
2
Hi! Did you create the acl_bootstrap_reset
file? What was the error you got when attempting a bootstrap after that?
Hello…
On the server consul-server-0, there is this directory:
/consul/data with the file: acl-bootstrap-reset
After running consul acl bootstrap … the error is the same:
Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: rpc error making call: ACL bootstrap no longer allowed (reset index: 16))
jlj7
December 4, 2020, 10:41pm
4
That’s odd. And the file contains just that number, and is readable by the account you’re using to run Consul?
hmm, permissions all seem correct, maybe reinstall? Here is my env:
/consul/data # whoami
root
/consul/data # ls -lt
total 40
-rwxrwxrwx 1 root consul 3 Dec 3 21:41 acl-bootstrap-reset
-rw------- 1 root consul 48 Dec 2 23:13 acl-tokens.json
-rw-r–r-- 1 root consul 394 Dec 2 23:13 checkpoint-signature
-rw------- 1 root consul 36 Dec 2 23:13 node-id
drwxr-sr-x 3 root consul 4096 Dec 2 23:13 raft
drwx–S— 2 root consul 4096 Dec 2 23:13 serf
drwxrws— 2 root consul 16384 Dec 2 23:13 lost+found
/consul/data #
/consul/data #
/consul/data #
/consul/data #
/consul/data # cat acl-bootstrap-reset
16
Not sure of how to proceed with this…I’m going to attempt a reinstall
Where can I read about acl_bootstrap_reset file?
Hi @EugenKon ,
Here are the instructions to reset the ACL so you can bootstrap it again.
I hope this helps.
maxb
August 19, 2023, 3:23pm
9
An alternative to the acl-bootstrap-reset system, is defining a token in the Consul server configuration file as acl.tokens.initial_management (or master, in Consul 1.10 and earlier)
Such a token will be installed whenever a Consul server with that configuration becomes leader.
Which method is easier for you to use will depend on how you manage your cluster.