Workload identities unable to use ACL API regardless of permissions in policy #26764
Description
Nomad version
Nomad v1.10.5
BuildDate 2025-09-09T14:36:45Z
Revision a3b86c697f38ab032e1acaae8503ed10815bc4a2
Operating system and Environment details
Ubuntu 24.04
Issue
Workload identities are not able to interact with the ACL API due to a token validation error.
The same policy works as expected when used with a standard token instead of a workload identity.
This seems to be related to #24663
Reproduction steps
- Create a policy that includes
acl { policy = "read" } - Use that policy in a workload identity with a job that includes
identity { env = true } - Use the workload identity to interact with ACL API
Expected Result
ACL API queries return successfully
Actual Result
Generic 500 error returned to client and validation error logged to server
Example queries:
$ curl --header "X-Nomad-Token: ${NOMAD_TOKEN}" https://nomad.service.consul:4646/v1/acl/policy/test
Error 500: Internal Server Error
The server met an unexpected condition
$ curl --header "X-Nomad-Token: ${NOMAD_TOKEN}" https://nomad.service.consul:4646/v1/acl/policies
Error 500: Internal Server Error
The server met an unexpected condition
Job file
job "test" {
datacenters = ["dc1"]
type = "service"
group "main" {
task "test" {
driver = "docker"
identity { env = true }
config {
image = "alpine/curl:latest"
args = ["--header", "X-Nomad-Token: ${NOMAD_TOKEN}", "https://nomad.service.consul:4646/v1/acl/policies"]
}
}
}
}
ACL Policy file
namespace "default" {
policy = "read"
}
acl {
policy = "read"
}
Nomad Server logs
2025-09-14T05:00:58.484-0700 [ERROR] http: request failed: method=GET path=/v1/acl/policies error="rpc error: acl token lookup failed: index error: UUID must be 36 characters" code=500