From f94016816dfd5f37fcfef926d4a8236d0d96ba69 Mon Sep 17 00:00:00 2001
From: James Rasell <jrasell@users.noreply.github.com>
Date: Mon, 10 Mar 2025 09:06:09 +0100
Subject: [PATCH] cli: Add node_prefix read policy to Consul setup task policy.
 (#25310)

When Nomad registers a service within Consul it is regarded as a
node service. In order for Nomad workloads to read these services,
it must have an ACL policy which includes node_prefix read. If it
does not, the service is filtered out from the result.

This change adds the required permission to the Consul setup
command.
---
 .changelog/25310.txt                       | 3 +++
 command/asset/consul-wi-default-policy.hcl | 4 ++++
 2 files changed, 7 insertions(+)
 create mode 100644 .changelog/25310.txt

diff --git a/.changelog/25310.txt b/.changelog/25310.txt
new file mode 100644
index 000000000..a3f040892
--- /dev/null
+++ b/.changelog/25310.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+cli: Add node_prefix read when setting up the task workload identity Consul policy
+```
diff --git a/command/asset/consul-wi-default-policy.hcl b/command/asset/consul-wi-default-policy.hcl
index e97c25817..09b4b1308 100644
--- a/command/asset/consul-wi-default-policy.hcl
+++ b/command/asset/consul-wi-default-policy.hcl
@@ -1,3 +1,7 @@
+node_prefix "" {
+  policy = "read"
+}
+
 service_prefix "" {
   policy = "read"
 }