What causes error "Operation on intention prefix denied due to ACLs'?

Running nomad 0.11.0 with consul 1.7.2 with acls enabled.

On the consul servers, I see this error every few seconds

Apr 10 15:15:00 consul1 consul[28262]:     2020-04-10T15:15:00.797Z [WARN]  
agent.server.intentions: Operation on intention prefix denied due to ACLs: prefix=count-dashboard accessorID=12345678-1234-1234-1234-123456789012

On the nomad agents I see this error

Apr 10 15:25:41 nomadagent1 consul[6882]:     2020-04-10T15:25:41.564Z [ERROR] 
agent.client: RPC failed to server: method=Intention.Match server=10.47.69.130:8300 error="rpc error making call: Permission denied"

I was able to fix this by creating a policy for the nomad agents and applying it to /etc/nomad/config.json

I created a policy and token called consul-connect

agent_prefix "" {
    policy = "write"
}
node_prefix "" {
    policy = "write"
}
service_prefix "" {
    policy = "write"
}
acl = "write"

I then took the token and added it to the nomad config on the agents (not the servers)

/etc/nomad/config.json

{
  "consul": {
    "token": "123456"
  }
}

I then restarted the nomad and consul service on the agents

service nomad restart
service consul restart
1 Like