Mesh secured Nomad jobs no longer possible across Datacenters?

Hi this is a crosspost from the Consul-Topics as it deals with Consul and Nomad,

I have a set of federated consul datacenters with enabled ACLs and connect. On top of that is a Nomad cluster. As I want to start Nomad jobs with connect enabled.

Everything looks good. But when I try to start this nomad job

job "egw" {

  datacenters = ["prod1"]
  region = "de-west"
  node_pool = "static-clients"

  group "egw" {
    count = 2
    network {
      mode = "bridge"

    service {
      name = "egw"
      connect {
        gateway {
          proxy {}
          terminating {
            service {
              name = "postgres"
            service {
              name = "redis-svc"

from GitHub - nairnavin/practical-nomad-consul: Set up a 3 Tier application (classic springboot petclinic) in a Nomad / Consul cluster leveraging features of service mesh, ingress and terminating gateways, load balancers etc. I get the error failed to derive SI token: Unexpected response code: 500 (rpc error making call: Local tokens are disabled).

What I see is, that only my primary consul cluster has the “Local” tag in the UI. If I create a token from the UI in one of the secondary datacenters, I cannot see it in the datacenter, where it has been created but only in the primary datacenter.

This article (How Nomad Manages ACL Tokens/Polices for Consul Service Mesh – HashiCorp Help Center) mentions, that SI tokens, that are generated by Nomad are only generated with a Local scope and are no longer replicated.

But how are Nomad created connect jobs supposed to work across federated datacenters, then?

Kind regards,

BTW.: This is with Nomad 1.7.6 and Consul 1.17.3

And I have checked that with one of the other jobs in the example (that don’t involve deploying a terminating gateway, which might be a special case) - same error: Local tokens are disabled.

I have upgraded to Nomad 1.8.1 and installed consul-cni on my nomad clients in order to be able to deploy the countdash-example (which uses the transparent_proxy feature - thus consul-cni and Nomad 1.8.1). But same error: Local tokens are disabled.

What do I need to configure in consul, to allow for Local tokens and federation/token-replication?