I could use some help with acl’s. I’m unable to create the initial bootstrap token, I attempted to do this directly on the lead server, and I’m following the docs from here: https://learn.hashicorp.com/tutorials/consul/access-control-setup-production
The error: Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: rpc error making call: ACL bootstrap no longer allowed (reset index: 16))
I found an old issue with a workaround here, but it was unsuccessful: https://github.com/hashicorp/consul/issues/5331
This is my global config: – I’m using the latest Helm chart…
What am I missing?
Hi! Did you create the
acl_bootstrap_reset file? What was the error you got when attempting a bootstrap after that?
On the server consul-server-0, there is this directory:
/consul/data with the file: acl-bootstrap-reset
After running consul acl bootstrap … the error is the same:
Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: rpc error making call: ACL bootstrap no longer allowed (reset index: 16))
That’s odd. And the file contains just that number, and is readable by the account you’re using to run Consul?
hmm, permissions all seem correct, maybe reinstall? Here is my env:
/consul/data # whoami
/consul/data # ls -lt
-rwxrwxrwx 1 root consul 3 Dec 3 21:41 acl-bootstrap-reset
-rw------- 1 root consul 48 Dec 2 23:13 acl-tokens.json
-rw-r–r-- 1 root consul 394 Dec 2 23:13 checkpoint-signature
-rw------- 1 root consul 36 Dec 2 23:13 node-id
drwxr-sr-x 3 root consul 4096 Dec 2 23:13 raft
drwx–S— 2 root consul 4096 Dec 2 23:13 serf
drwxrws— 2 root consul 16384 Dec 2 23:13 lost+found
/consul/data # cat acl-bootstrap-reset
Not sure of how to proceed with this…I’m going to attempt a reinstall
Where can I read about acl_bootstrap_reset file?
Here are the instructions to reset the ACL so you can bootstrap it again.
I hope this helps.
An alternative to the acl-bootstrap-reset system, is defining a token in the Consul server configuration file as acl.tokens.initial_management (or master, in Consul 1.10 and earlier)
Such a token will be installed whenever a Consul server with that configuration becomes leader.
Which method is easier for you to use will depend on how you manage your cluster.