CONSUL_HTTP_TOKEN doesn't provide access to all keys

Question

CONSUL_HTTP_TOKEN doesn't provide access to all keys

Opened this issue 8 years ago · 3 comments

When I provide a management token in the CONSUL_HTTP_TOKEN environment variable, the resulting backup only contains the key/value pairs that I would see with an anonymous token. Using the same management token in the Consul web UI, I can see everything. I put some debug statements in the consul-snapshot code and confirmed the correct token is read with os.Getenv("CONSUL_HTTP_TOKEN") in consul-snapshot/vendor/github.com/hashicorp/consul/api/api.go.

Answer 1 · 2017-01-09T22:02:34.000Z

More specifically, the only keys in the backup are those beginning with "global/" but none of the "local/" keys are there.

Answer 2 · 2017-01-10T01:38:58.000Z

This sounds like a bug thanks for reporting @duffrecords, I'll take a closer look at it when I have some time.

Answer 3 · 2017-01-10T20:36:14.000Z

I was able to get it to work by setting CONSUL_HTTP_ADDR to 'localhost:8500' but setting it to 'fqdn.of.consul.server:8500' only retrieves keys that are visible with the anonymous token. Apparently the tool is able to authenticate with the local Consul client but not directly with the Consul server itself (I'm running consul-snapshot on a different machine than the Consul server).