Confused over applying basic ACLs

I’ve read the ACL guides on Hashicorp learn and the docs on configuring Consul and I still don’t really get it, and the things I have applied don’t seem to be working.

I have two agents in my cluster both capable of being clients and servers. Thus I want both to have unlimited permissions to do whatever they want.

Should I just apply the inherent global-management policy or should I roll my own policies? I tried rolling my own which is:

acl = "write"

# cluster-wide Consul information
operator = "write"

# node API
agent_prefix "" {
  policy = "write"

# service API
service "" {
  policy = "write"

# key/value API –
key_prefix "" {
  policy = "write"

# agent API –
agent_prefix "" {
  policy = "write"

# event API –
event_prefix "" {
  policy = "write"

And I created tokens based on that policy using

consul acl token create -description "consul-server-one agent token" \
  -policy-name agent-trusted

But in my consul logs on each agent all I see are things like

[ERR] agent: failed to sync remote state: ACL not found
registration blocked by ACLs

And the like.

Here are my agent configurations

primary_datacenter = "TEST-1" # needed for ACLs
datacenter = "TEST-1"
data_dir = "/opt/consul"
disable_keyring_file = true # only use what we have in `encrypt`
encrypt = "my_key_here"
performance {
  raft_multiplier = 1
retry_join = [
acl {
  enabled = true
  default_policy = "deny" # change to `deny` after bootstrapping
  down_policy = "extend-cache"
  enable_token_persistence = true
  tokens {

Hi Jordan,

It’s generally better to create custom policies for tokens you’ll want to rotate or update, rather than using global-management.

It looks like your policy is missing node_prefix. The ACL rules page for node says: “Agents need to be configured with an acl.tokens.agent with at least “write” privileges to their own node name in order to register their information with the catalog,”

I recently wrote two new ACL guides: 1) to help users discover the minimum required privileges 2) troubleshooting the ACL system

Let me know if you find either useful!