Consul ACL token rotation


I’m using Consul 1.13.7 with ACL tokens.
My consul gets a request from Nomad to register a service. For that Consul is using the default ACL token defined in its configuration.
My problem begins when the ACL token is regenerated and the previous token is no longer valid.
As I see, consul is storing the token it used to register a service locally (seen under /var/lib/consul).
What’s the right behavior in the case of token generation?

I don’t think you’re meant to use default ACL tokens for any kind of “write” or “privileged” operation - actually I’m not sure why the default token is there at all - it seems redundant to me, and I never set it. (Any permissions you want unauthenticated users to have, can be assigned to the anonymous token instead.)

Services should register using a token explicitly provided with the service registration. This token must not be rotated for as long as that service instance is registered.

But how should that be configured via nomad? non expiring token for the job ?
Or we should create unique token every time we deploy new job?

I haven’t worked with Nomad at all, so all I can do is tell you what should happen from the perspective of a generic Consul client.