ACL's and consul-agents and exsiting Deployments

We have existing consul deployments running in aws that we’d like to retro fit with ACL’s. As I’ve toyed aroudn with varioius tutorials and online doc’s I’ve come to the following understanding.

  1. consul agents can configure themselves but this must be done with a static jwt via auto_config
  2. It’s possible to use aws-iam auth, but only for use with consul login (and not directly in the agent). Further using this is only possible as a series of cli/http commands. These cannot be configured via config files.
  3. Node identites gives a method for associating agents with properly configured policies, bu these are static, not dynamic, and the only option with dynamicly provissioned agents is to use prefix policies.

I’ve tried using consul login in an init container to grab a token via aws-iam auth before starting the main agent container? I’ve tried this in a toy environment and gotten 403 access restricted from the servers. Login when the agent is configured with a static token does seem to work (but at that point I’ve used a static token).

On the server i see this message: {"level":"error","message":"Request error","module":"agent.http","timestamp":"2024-02-14T19:46:01.176649Z","error":"Access is restricted","from":"","method":"POST","url":"/v1/acl/login"}

So my questions, in addition to asking if my understanding above is correct: is there a way to allow consul login to work un-authenticated? Or is there a better way to do all this (perferably i could combine aws-iam and auto_config).