How to automate `consul acl set-agent-token`

I’m setting up consul 1.6.x and enabling ACls. I’m using puppet to create policies and tokens for every agent.

I find that I still need to ssh into every node and run

export CONSUL_HTTP_TOKEN=xxxxxx
consul acl set-agent-token default $token

How can I automate this so that I don’t have to manually run consul acl set-agent-token on every node?

Idea 1:

The config file allows for you to specify a default token like so:

"acl": {
  "token": {
    "default": "1234"

However that would require knowing the secret_id of the token, which I don’t know until after the tokens are created.

Idea 2:

Another option would be to use ansible/salt or bash to modify the contents of /opt/consul/acl-tokens.json

That has downsides since it would require running that script after every node is provisioned.


What other strategies have people used to automate consul acl set-agent-token ?

@spuder Both of you solutions are completely valid.

For your first idea, Consul as of version 1.5.0 allows specifying the token’s secret ID during creation for this very use case. So you could generate some UUID, drop it in the config and then after the fact create the token.

For the second idea, as of v1.4.3 the ACL token configurations are reloadable so you could push something down and run consul reload.

If you really want to minimize future ssh/ansible/salt etc. then I think you will just want to set the tokens in the config and create them after the fact.

You can retrieve the master token on the consul servers:

export CONSUL_HTTP_TOKEN=$(jq -r .acl.tokens.master < /etc/consul/config.json)