Cannot update ACL token in a different datacenter

edevil · May 23, 2020, 7:36am

Hello.

I’m trying to update a token on a different datacenter. However, I’m getting an error mentioning that the token does not exist, which seems a bit misleading:

On DC2:

# CONSUL_HTTP_TOKEN=XXX consul acl token update -id=5eca344b-ca80-e800-23e3-c2ad49aacdf0 -policy-id=b1e764df-08d9-11a2-3a70-8a64bc423889 -merge-policies --datacenter=dc1
Failed to update token 5eca344b-ca80-e800-23e3-c2ad49aacdf0: Unexpected response code: 500 (rpc error making call: Cannot find token "5eca344b-ca80-e800-23e3-c2ad49aacdf0")

However, the token does exist:

# CONSUL_HTTP_TOKEN=XXX consul acl token list --datacenter=dc1 |grep 5eca344b-ca80-e800-23e3-c2ad49aacdf0
AccessorID:       5eca344b-ca80-e800-23e3-c2ad49aacdf0

We don’t have ACL replication configured and the Consul HTTP token I’m using is a master token on both DCs. Am I doing something wrong here?

Thanks.

jsosulska · May 26, 2020, 10:49pm

Hi @edevil,

Welcome to the forums, and thank you for posting!

If you are updating Tokens, it’s recommended to update them from the primary DC, as the primary dc is authoritative for the ACL system. Our ACLs guide goes over a little about the primary DC during the set up.

Hope this helps!