Cannot fetch a consul kv into a nomad job

lalin · March 1, 2023, 7:56am

Hello, I’m trying to fetch a consul kv into a nomad job using this template:

template {
  data = <<EOF
    APP_NAME = "{{ key "app/test/APP_NAME" }}"
  EOF
    destination = "env/file.env"
    env = true
}

However, I get this error:

Missing: kv.block(app/test/APP_NAME)

When I try consul kv get app/test/APP_NAME this is the result:

consul

I also get this other error:

Template failed: kv.block(app/test/APP_NAME): Unexpected response code: 403 (rpc error making call: Permission denied: token with AccessorID '00000000-0000-0000-0000-000000000002' lacks permission 'key:read' on "app/test/APP_NAME")

But this is the consul block on my nomad config:

consul {
  address = "<consul-ip>:8500"
  token   = "<consul-token>"
  auto_advertise      = true
  server_auto_join    = true
  client_auto_join    = true
}

Are there other configurations on the setup that I might have missed?

seth.hoenig · March 1, 2023, 2:45pm

Hi @lalin it sounds like the Consul token is not set correctly in your Nomad config.

AccessorID '00000000-0000-0000-0000-000000000002'

Is the well-known ID of the Consul anonymous token: ACL Tokens | Consul | HashiCorp Developer which is used when no token is provided.

Some things to check

the consul block is at the top level in the Nomad agent config
the token value is actually set with a valid token
restart Nomad agent - making sure the configuration is applied
make sure a conflicting CONSUL_HTTP_TOKEN environment variable is not set

lalin · March 20, 2023, 9:24am

Thank you for this, I have resolved the issue!