Consul 1.4 ACL Bootstrap issue

[Scott Herrmann]

Started work on a Consul development cluster.  Decided to start fresh at 1.4

Following the updated ACL guide.  

I have gotten to the point that all 3 nodes now have the following acl policy defined in the server config file:

  "primary_datacenter": "ABC",

  "acl" : {

    "enabled": true,

    "default_policy": "deny",

    "down_policy": "extend-cache"

  }

Primary_datacenter is set to same value as datacenter parameter.

All 3 nodes were restarted and now running consul members returns nothing (expected

Now attempting to bootstrap to get the agent token.

[root@server consul]# consul acl bootstrap                
AccessorID:   65090939-d08b-d52b-abca-c4141987e7c3
SecretID:     73b3256c-4932-2e48-977b-5eb804a467de
Description:  Bootstrap Token (Global Management)
Local:        false
Create Time:  2018-11-09 18:57:06.371871481 -0500 EST
Policies:
   00000000-0000-0000-0000-000000000001 - global-management

I then created an ACL rules file per the documentation:

[root@server acl_policies]# cat agent-policy.hcl 
node_prefix "" {
   policy = "write"
}
service_prefix "" {
   policy = "read"
}

This is where I am stopped by the following error:

[root@server acl_policies]# consul acl policy create -name "agent-token" -description "Agent Token Policy" -rules @agent-policy.hcl
Failed to create new policy: Unexpected response code: 403 (rpc error making call: ACL not found)

I have tried setting the environment variable: export CONSUL_HTTP_TOKEN=65090939-d08b-d52b-abca-c4141987e7c3

But I always end up with the above error?  I have tried running from all 3 nodes (after creating the policy file and exporting the Env variable).  Same error.

Thoughts?

[aru...@pixar.com]

You're using the Token AccessorID and not the SecretID.

Try using `export CONSUL_HTTP_TOKEN=73b3256c-4932-2e48-977b-5eb804a467de` and then attempt to create the policy.

Cheers,

Aaron

[Scott Herrmann]

Well, son of gun!  I had tried that at some point too.   But it worked this time.

Cheers!