Create consul ACL token with pre-assigned secretID (1.4 system)

Question

In the legacy ACL system (pre 1.4), i was able to create acl tokens using the api endpoint /v1/acl/update passing in an existing ID as a parameter in the payload, e.g:

"ID": "##uuid",

This would create a token with that uuid in consul.

In the new system, I cannot create a token and pass in an already chosen ID of that token, either via consul acl client or acl API. Any suggestions?

The only pre-assigned token i'm aware of that works is the bootstrap master token, which can be configured in acl.json at startup and consul will use that to bootstrap the cluster and create the mgmt token:

"tokens": {
  "master": "##uuid",
}

Note that the purpose here is ability to recover from outage. If I have 100 tokens in consul and lose the cluster, how do I rebuild with the same tokens (which would be saved off somewhere)?

Answer 1

This feature was added to the 1.5.0 release.

Token can be created via the cli, like this:

consul acl token create -secret <secret_uuid> -policy-id <policy_uuid>

Optional parameters, such as description and accessor id also available.

Token also can be created via the REST API:

curl -X PUT \
  --header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \
  --data @payload.json \
  http://127.0.0.1:8500/v1/acl/token

With payload.json:

{
  "Description": "Token",
  "SecretID": "<secret_uuid>",
  "Policies": [
    { "ID": "<policy_uuid>" }
  ]
}

Where <secret_uuid> - UUID to use as the token's Secret ID.

All documentation can be found here.

Answer 2

this was already raised in https://github.com/hashicorp/consul/issues/4977, with the targeted feature included in 1.4.4 release (date TBD)