From f8d33b36fdaef60f4d5f5b5c9ac0b76f76b43b64 Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Mon, 1 Feb 2021 17:40:21 -0500
Subject: [PATCH] local: default to the agent token instead of the user token

When de-registering in anti-entropy sync, when there is no service or
check token.

The agent token will fall back to the default (aka user) token if no agent
token is set, so the existing behaviour still works, but it will prefer
the agent token over the user token if both are set.

ref: https://www.consul.io/docs/agent/options#acl_tokens

The agent token seems more approrpiate in this case, since this is an
"internal operation", not something initiated by the user.
---
 .changelog/9683.txt  | 3 +++
 agent/local/state.go | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 .changelog/9683.txt

diff --git a/.changelog/9683.txt b/.changelog/9683.txt
new file mode 100644
index 0000000000..541f9264c7
--- /dev/null
+++ b/.changelog/9683.txt
@@ -0,0 +1,3 @@
+```release-notes:improvement
+client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token.
+```
diff --git a/agent/local/state.go b/agent/local/state.go
index f6e3961313..d4c2de6464 100644
--- a/agent/local/state.go
+++ b/agent/local/state.go
@@ -215,7 +215,7 @@ func (l *State) serviceToken(id structs.ServiceID) string {
 		token = s.Token
 	}
 	if token == "" {
-		token = l.tokens.UserToken()
+		token = l.tokens.AgentToken()
 	}
 	return token
 }
@@ -428,7 +428,7 @@ func (l *State) checkToken(id structs.CheckID) string {
 		token = c.Token
 	}
 	if token == "" {
-		token = l.tokens.UserToken()
+		token = l.tokens.AgentToken()
 	}
 	return token
 }