Reset/Re-bootstrap ACL in consul

I am quite new to the Nomad/Consul world . I have a test env with 3 Nomad/Consul servers and 6nomad/ consul clients . Able to run jobs and access consul and nomad UI etc .Mostly everything is working fine. I wanted to enable ACL and I went through the setup
Secure Consul with Access Control Lists (ACLs) | Consul | HashiCorp Developer and was able to create token and I put the following in both Consul Servers and Clients


#  enabled = true
#  default_policy = "deny"
#  enable_token_persistence = true
#  enable_token_replication = true
#  tokens {
#    master = "xxxxf"
#     agent = "xxxxx"
#  }

So couple of questions

a) What config needs to go into my Nomad and do I use the same tokens in the Consul stanza ? my current nomad stanza looks like this

consul {
    ssl     = true
    address = ""
    ca_file   = "xxx"
    cert_file = "xxx"
    key_file  = "xxx"
    token = "same as "agent" from consul above "

b) Do I need to bootstrap my Nomad cluster and create new tokens per Bootstrap Nomad ACL System | Nomad | HashiCorp Developer
c)Finally if I need to reset the ACL bootstrap on consul and redo everything how can we do this ?

I don’t know Nomad, so I’ll only be answering this part:

You can’t re-bootstrap unless you completely wipe the Consul data directory on all nodes, and have the cluster nodes recreate the cluster with no data.

However, the tokens.master setting in the Consul server config file serves as a way to “break glass” into a Consul installation if all admin tokens have been lost. The exact functionality of the tokens.master setting, is that when a Consul server becomes the cluster leader, it will check whether that token already exists, and if it does not, will create it will global-management privileges.

To be clear, it is not necessary to keep tokens.master set at all in the configuration file - its only purpose is to allow creating an initial or replacement global-management token without having an existing token.

Hi @maxb,

Consul lets you re-bootstrap the ACL system if you lose the bootstrap token. Please find the documentation for the same here: Troubleshoot the Access Control System | Consul | HashiCorp Developer

Huh, that must be new in more recent versions of Consul. It didn’t exist when I last was working in that area.

That means you must have been using the Consul version below 1.4.0. This feature is available from Consul 1.4.0 just for information for anyone else referring to this thread in the future.