I’ve read the ACL guides on Hashicorp learn and the docs on configuring Consul and I still don’t really get it, and the things I have applied don’t seem to be working.
I have two agents in my cluster both capable of being clients and servers. Thus I want both to have unlimited permissions to do whatever they want.
Should I just apply the inherent global-management policy or should I roll my own policies? I tried rolling my own which is:
acl = "write"
# cluster-wide Consul information
operator = "write"
# node API
agent_prefix "" {
policy = "write"
}
# service API
service "" {
policy = "write"
}
# key/value API – https://www.consul.io/api/kv.html
key_prefix "" {
policy = "write"
}
# agent API – https://www.consul.io/api/agent.html
agent_prefix "" {
policy = "write"
}
# event API – https://www.consul.io/api/event.html
event_prefix "" {
policy = "write"
}
And I created tokens based on that policy using
consul acl token create -description "consul-server-one agent token" \
-policy-name agent-trusted
But in my consul logs on each agent all I see are things like
[ERR] agent: failed to sync remote state: ACL not found
registration blocked by ACLs
And the like.
Here are my agent configurations
primary_datacenter = "TEST-1" # needed for ACLs
datacenter = "TEST-1"
data_dir = "/opt/consul"
disable_keyring_file = true # only use what we have in `encrypt`
encrypt = "my_key_here"
performance {
raft_multiplier = 1
}
retry_join = [
"IP_1",
"IP_2"
]
acl {
enabled = true
default_policy = "deny" # change to `deny` after bootstrapping
down_policy = "extend-cache"
enable_token_persistence = true
tokens {
agent = EACH_AGENTS_SECRET_TOKEN_ID_HERE
}
}