From 76a365d4108fff8a0fcb61a878f5a9565d7a16ae Mon Sep 17 00:00:00 2001
From: Daniel Nephin <dnephin@hashicorp.com>
Date: Mon, 1 Feb 2021 17:40:21 -0500
Subject: [PATCH] local: default to the agent token instead of the user token

When de-registering in anti-entropy sync, when there is no service or
check token.

The agent token will fall back to the default (aka user) token if no agent
token is set, so the existing behaviour still works, but it will prefer
the agent token over the user token if both are set.

ref: https://www.consul.io/docs/agent/options#acl_tokens

The agent token seems more approrpiate in this case, since this is an
"internal operation", not something initiated by the user.
---
 .changelog/9683.txt  | 3 +++
 agent/local/state.go | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)
 create mode 100644 .changelog/9683.txt

diff --git a/.changelog/9683.txt b/.changelog/9683.txt
new file mode 100644
index 000000000..541f9264c
--- /dev/null
+++ b/.changelog/9683.txt
@@ -0,0 +1,3 @@
+```release-notes:improvement
+client: when a client agent is attempting to dereigster a service, anddoes not have access to the ACL token used to register a service, attempt to use the agent token instead of the default user token. If no agent token is set, fall back to the default user token.
+```
diff --git a/agent/local/state.go b/agent/local/state.go
index 6f0b779fc..b2382ed5b 100644
--- a/agent/local/state.go
+++ b/agent/local/state.go
@@ -243,7 +243,7 @@ func (l *State) serviceToken(id structs.ServiceID) string {
 		token = s.Token
 	}
 	if token == "" {
-		token = l.tokens.UserToken()
+		token = l.tokens.AgentToken()
 	}
 	return token
 }
@@ -457,7 +457,7 @@ func (l *State) checkToken(id structs.CheckID) string {
 		token = c.Token
 	}
 	if token == "" {
-		token = l.tokens.UserToken()
+		token = l.tokens.AgentToken()
 	}
 	return token
 }