Cannot update ACL token in a different datacenter

edevil · May 23, 2020, 7:36am

Hello.

I’m trying to update a token on a different datacenter. However, I’m getting an error mentioning that the token does not exist, which seems a bit misleading:

On DC2:

# CONSUL_HTTP_TOKEN=XXX consul acl token update -id=5eca344b-ca80-e800-23e3-c2ad49aacdf0 -policy-id=b1e764df-08d9-11a2-3a70-8a64bc423889 -merge-policies --datacenter=dc1
Failed to update token 5eca344b-ca80-e800-23e3-c2ad49aacdf0: Unexpected response code: 500 (rpc error making call: Cannot find token "5eca344b-ca80-e800-23e3-c2ad49aacdf0")

However, the token does exist:

# CONSUL_HTTP_TOKEN=XXX consul acl token list --datacenter=dc1 |grep 5eca344b-ca80-e800-23e3-c2ad49aacdf0
AccessorID:       5eca344b-ca80-e800-23e3-c2ad49aacdf0

We don’t have ACL replication configured and the Consul HTTP token I’m using is a master token on both DCs. Am I doing something wrong here?

Thanks.

jsosulska · May 26, 2020, 10:49pm

Hi @edevil,

Welcome to the forums, and thank you for posting!

If you are updating Tokens, it’s recommended to update them from the primary DC, as the primary dc is authoritative for the ACL system. Our ACLs guide goes over a little about the primary DC during the set up.

Hope this helps!

Topic		Replies	Views
ACL, legacy config to new Consul	1	282	November 11, 2022
Consul AccessorID is empty in one of remote clusters Consul	1	334	April 27, 2023
Consul Ingress Gateway ACL permissions on secondary DC Consul k8s , connect	5	1026	June 9, 2021
HCSEC-2020-11 - Consul Legacy ACL Permission Changes Not Propagated to Secondary Datacenters Security security-consul	0	4227	November 25, 2020
Error while setting up secondary datacenter with ACL configured Consul acl , consul	6	2662	September 8, 2022

Cannot update ACL token in a different datacenter

Related topics