Auto_config vs. ACL token replication

HI *,

I just hit an error with my new consul setup: I have four datacenters which are federated via mesh gateways. There’s (obviously) one primary_datacenter and three secondary datacenters. All consul agents are version 1.17.3.

Everything works fine until I try to activate auto_config in one of the secondary datacenters:

root@consul-0:/etc/consul# consul validate consul.hcl                                                                                                                                                                
Config validation failed: Enabling auto-config authorization (auto_config.authorization.enabled) in non primary datacenters with ACLs enabled (acl.enabled) requires also enabling ACL token replication (acl.enable_

I have not activated enable_token_replication in the secondary datacenters because it is not mentioned in the docs (ACL Setup for WAN Federated Datacenters | Consul | HashiCorp Developer). It is only used in the primary datacenter.

If I try to activate enable_token_replication in the secondary datacenter I can no longer access it and I see “ACL not found” errors in the logs.

Is it recommended to activate enable_token_replication in primary and secondary datacenters (why is it not mentioned in the docs)?

I remember, that I had enable_token_replication set to true in primary and secondary datacenters in previous setups. But when I tried that in the current environment I could only setup ACL replication with enable_token_replication enabled only on the primary.

Is there a workaround? Is this a bug? I’d like to auto configure consul clients in any of the four datacenters locally - because I don’t want to access the primary datacenter from consul clients in the secondary datacenters, if possible.

Thank you for any hints.

Kind regards