ACL unable to create initial bootstrap token

mjwilkerson-strateos · December 3, 2020, 11:57pm

Hello,

I could use some help with acl’s. I’m unable to create the initial bootstrap token, I attempted to do this directly on the lead server, and I’m following the docs from here: https://learn.hashicorp.com/tutorials/consul/access-control-setup-production

The error: Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: rpc error making call: ACL bootstrap no longer allowed (reset index: 16))

I found an old issue with a workaround here, but it was unsuccessful: https://github.com/hashicorp/consul/issues/5331

This is my global config: – I’m using the latest Helm chart…

lobal:
enabled: true
name: consul
datacenter: dc1
image: ‘consul:1.8.4’
imageEnvoy: envoyproxy/envoy-alpine:v1.14.2

tls:
enabled: true
enableAutoEncrypt: true
httpsOnly: true
verify: true
caCert:
secretName: consul-ca-cert
secretKey: tls.crt
caKey:
secretName: consul-ca-key
secretKey: tls.key
gossipEncryption:
secretName: consul-gossip-encryption-key
secretKey: key
acls:
manageSystemACLs: true

What am I missing?

jlj7 · December 4, 2020, 7:50am

Hi! Did you create the acl_bootstrap_reset file? What was the error you got when attempting a bootstrap after that?

mjwilkerson-strateos · December 4, 2020, 10:10pm

Hello…

On the server consul-server-0, there is this directory:
/consul/data with the file: acl-bootstrap-reset

After running consul acl bootstrap … the error is the same:

Failed ACL bootstrapping: Unexpected response code: 403 (Permission denied: rpc error making call: ACL bootstrap no longer allowed (reset index: 16))

jlj7 · December 4, 2020, 10:41pm

That’s odd. And the file contains just that number, and is readable by the account you’re using to run Consul?

mjwilkerson-strateos · December 4, 2020, 11:10pm

hmm, permissions all seem correct, maybe reinstall? Here is my env:

/consul/data # whoami
root

/consul/data # ls -lt
total 40
-rwxrwxrwx 1 root consul 3 Dec 3 21:41 acl-bootstrap-reset
-rw------- 1 root consul 48 Dec 2 23:13 acl-tokens.json
-rw-r–r-- 1 root consul 394 Dec 2 23:13 checkpoint-signature
-rw------- 1 root consul 36 Dec 2 23:13 node-id
drwxr-sr-x 3 root consul 4096 Dec 2 23:13 raft
drwx–S— 2 root consul 4096 Dec 2 23:13 serf
drwxrws— 2 root consul 16384 Dec 2 23:13 lost+found
/consul/data #
/consul/data #
/consul/data #
/consul/data #
/consul/data # cat acl-bootstrap-reset
16

mjwilkerson-strateos · December 7, 2020, 6:36pm

Not sure of how to proceed with this…I’m going to attempt a reinstall

EugenKon · August 17, 2023, 9:52pm

Where can I read about acl_bootstrap_reset file?

Ranjandas · August 19, 2023, 11:12am

Hi @EugenKon,

Here are the instructions to reset the ACL so you can bootstrap it again.

I hope this helps.

maxb · August 19, 2023, 3:23pm

An alternative to the acl-bootstrap-reset system, is defining a token in the Consul server configuration file as acl.tokens.initial_management (or master, in Consul 1.10 and earlier)

Such a token will be installed whenever a Consul server with that configuration becomes leader.

Which method is easier for you to use will depend on how you manage your cluster.