Change perms from 0400 to 0600 for acl-token

If the acl-init command is re-run, it needs to be able to overwrite the previously written acl-token file.
hashicorp · Apr 20, 2020 · f7609a1 · f7609a1
1 parent afb4b84
commit f7609a1
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/subcommand/acl-init/command.go b/subcommand/acl-init/command.go
@@ -104,7 +104,9 @@ func (c *Command) Run(args []string) int {
 			return 1
 		}
 
-		// Write the data out as a file
+		// Write the data out as a file.
+		// Must be 0644 because this is written by the consul-k8s user but needs
+		// to be readable by the consul user.
 		err = ioutil.WriteFile(filepath.Join(c.flagACLDir, "acl-config.json"), buf.Bytes(), 0644)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error writing config file: %s", err))
@@ -113,7 +115,9 @@ func (c *Command) Run(args []string) int {
 	}
 
 	if c.flagTokenSinkFile != "" {
-		err := ioutil.WriteFile(c.flagTokenSinkFile, []byte(secret), 0400)
+		// Must be 0600 in case this command is re-run. In that case we need
+		// to have permissions to overwrite our file.
+		err := ioutil.WriteFile(c.flagTokenSinkFile, []byte(secret), 0600)
 		if err != nil {
 			c.UI.Error(fmt.Sprintf("Error writing token to file %q: %s", c.flagTokenSinkFile, err))
 			return 1