Super fun finding out that Consul ACL roles are handy but if a token has multiple, the ACL expansion just breaks somehow? And that you actually can't expand a token to show it's full effective ACL?!

And why do I assign two you ask? Nomad workload identity JWTs for Consul do not have a role attribute. Ergo, on the receiving ACL binding end it's now impossible to have a catch-all default role and still infer more specific roles from the identity. The moment you do, it gets both roles which breaks portions of the subsequent policies in weird ways, and not just due to precedent rules. (For example both contain an identical rule allowing read to all services, but then they somehow cancel out?!)

Now this is probably a fixable bug in Consul, but from what I'm seeing HashiCorp has abandoned reading or reacting to their Consul bug reports. So I probably need to hunt it down myself, and perhaps bother sending them a PR they can ignore.
#HomeLab #Consul #Nomad