-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
consul_acl_token_secret_id data source errors with an access denied (403) #239
Comments
A couple of updates:
I'm now checking if using the bootstrap ACL token directly instead of loading it from the K8S secret has any impact. |
Is there a way to have a listing of the consul client configuration? I'm looking forward to the token that the client is using. Thanks! |
Hi @ferrarimarco, sorry to not have answered sooner. I had no Kubernetes cluster to reproduce your setup and needed to setup one to reproduce your setup. I have not yet succeeded in reproducing the bug. Do you have multiple Consul clusters?
|
After upgrading to the latest consul, it didn't occur anymore. I'll reopen if this appens again! Thanks! |
Sorry to reopen this, but started happening again. Apparently, updating consul didn't fix it in the end :( I do have only one Consul cluster, that I deployed with the |
The debug output looks like the one I appended in my first message here :) |
Might it be a race condition of some kind? |
If you have a single datacenter I don't think a race condition should be possible. I've tried but could not reproduce the issue, could you post a complete Terraform configuration so that I can try to reproduce the bug? |
I don't have access to that environment anymore. Feel free to close, or keep open as reference :) |
I'm now experiencing this issue provider "consul" {
address = local.consul_url
datacenter = local.consul_datacenter
token = data.kubernetes_secret.consul_bootstrap_acl_token.data["token"]
} Resources data "kubernetes_secret" "consul_bootstrap_acl_token" {
metadata {
name = "consul-bootstrap-acl-token"
namespace = "default"
}
depends_on = [
helm_release.consul
]
}
resource "consul_acl_policy" "vault" {
name = "vault"
rules = <<-RULE
{
"key_prefix": {
"vault/": {
"policy": "write"
}
},
"node_prefix": {
"": {
"policy": "write"
}
},
"service": {
"vault": {
"policy": "write"
}
},
"agent_prefix": {
"": {
"policy": "write"
}
},
"session_prefix": {
"": {
"policy": "write"
}
}
}
RULE
depends_on = [
helm_release.consul
]
} Running Consul 1.9.5 on GKE Provider Versions terraform version
Terraform v0.15.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/consul v2.12.0
+ provider registry.terraform.io/hashicorp/external v2.1.0
+ provider registry.terraform.io/hashicorp/google v3.69.0
+ provider registry.terraform.io/hashicorp/google-beta v3.69.0
+ provider registry.terraform.io/hashicorp/helm v2.1.2
+ provider registry.terraform.io/hashicorp/kubernetes v2.2.0 |
Hi @tdgeery, using the same approach to get token from kubernetes secret and having the same issue while reading consul policies. Did you figure it out how to solve? |
@manobi Since I'm creating Consul and Vault in the same repository, I imported the Consul bootstrap token into terraform and am passing that to the provider: resource "random_uuid" "consul_bootstrap_acl_token" {}
resource "kubernetes_secret" "consul_bootstrap_acl_token" {
metadata {
name = "consul-bootstrap-acl-token"
namespace = "default"
}
data = {
"token" = random_uuid.consul_bootstrap_acl_token.result
}
} Under the Consul Helm chart: global:
acls:
manageSystemACLs: true
bootstrapToken:
secretName: ${bootstrap_secret_name}
secretKey: ${bootstrap_secret_key} and then for the consul provider: provider "consul" {
address = local.consul_url
token = random_uuid.consul_bootstrap_acl_token.result
...
} |
Terraform Version
Affected Resource(s)
Please list the resources as a list, for example:
data.consul_acl_token_secret_id
Terraform Configuration Files
Debug Output
On the Consul side, I see a corresponding error:
where
TOKEN-ID
is the ID of the token, that I double-checked.Expected Behavior
Terraform should be able to present a suitable plan.
Actual Behavior
Terraform outputs the following error:
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform plan
Important Factoids
I'm using the bootstrap ACL token (loaded from a Kubernetes secret). Other resources and data sources of the consul provider are working fine with the same token.
The text was updated successfully, but these errors were encountered: