[processor/resourcedetection] Fix consul TokenFile using path as token value (#46746)

paulojmdias · web-flow · commit d843e0e963f5 · 2026-03-11T11:57:24.000+02:00
#### Description When `token_file` was configured, the file path string was assigned to `api.Config.Token` instead of `api.Config.TokenFile`, causing the consul API client to use the path as the authentication token.  #### Link to tracking issue Fixes #46745  #### Testing Added unit tests. Signed-off-by: Paulo Dias <paulodias.gm@gmail.com>
diff --git a/.chloggen/fix_46745.yaml b/.chloggen/fix_46745.yaml
@@ -0,0 +1,31 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: "bug_fix"
+
+# The name of the component, or a single word describing the area of concern, (e.g. receiver/filelog)
+component: "processor/resourcedetection"
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: "Fix consul detector `token_file` setting the file path as the literal token value instead of configuring the consul SDK to read the file"
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [46745]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  When `token_file` was configured, the file path string
+  was assigned to `api.Config.Token` instead of `api.Config.TokenFile`,
+  causing the consul API client to use the path as the authentication
+  token (always resulting in 403 Forbidden)."
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: [user]
diff --git a/processor/resourcedetectionprocessor/internal/consul/consul.go b/processor/resourcedetectionprocessor/internal/consul/consul.go
@@ -32,9 +32,8 @@ type Detector struct {
 	rb       *metadata.ResourceBuilder
 }
 
-// NewDetector creates a new system metadata detector
-func NewDetector(p processor.Settings, dcfg internal.DetectorConfig) (internal.Detector, error) {
-	userCfg := dcfg.(Config)
+// buildConsulAPIConfig translates the detector Config into a hashicorp consul api.Config.
+func buildConsulAPIConfig(userCfg Config) *api.Config {
 	cfg := api.DefaultConfig()
 
 	if userCfg.Address != "" {
@@ -50,9 +49,16 @@ func NewDetector(p processor.Settings, dcfg internal.DetectorConfig) (internal.D
 		cfg.Token = string(userCfg.Token)
 	}
 	if userCfg.TokenFile != "" {
-		cfg.Token = userCfg.TokenFile
+		cfg.TokenFile = userCfg.TokenFile
 	}
 
+	return cfg
+}
+
+func NewDetector(p processor.Settings, dcfg internal.DetectorConfig) (internal.Detector, error) {
+	userCfg := dcfg.(Config)
+	cfg := buildConsulAPIConfig(userCfg)
+
 	client, err := api.NewClient(cfg)
 	if err != nil {
 		return nil, fmt.Errorf("failed creating consul client: %w", err)
diff --git a/processor/resourcedetectionprocessor/internal/consul/consul_test.go b/processor/resourcedetectionprocessor/internal/consul/consul_test.go
@@ -5,8 +5,11 @@ package consul
 
 import (
 	"context"
+	"os"
+	"path/filepath"
 	"testing"
 
+	"github.com/hashicorp/consul/api"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/require"
@@ -58,3 +61,64 @@ func TestDetect(t *testing.T) {
 
 	assert.Equal(t, expected, res.Attributes().AsRaw())
 }
+
+func TestBuildConsulAPIConfig_TokenFile(t *testing.T) {
+	tokenFile := filepath.Join(t.TempDir(), "token")
+	require.NoError(t, os.WriteFile(tokenFile, []byte("secret-token-value"), 0o600))
+
+	userCfg := Config{
+		TokenFile:          tokenFile,
+		ResourceAttributes: metadata.DefaultResourceAttributesConfig(),
+	}
+
+	apiCfg := buildConsulAPIConfig(userCfg)
+
+	// TokenFile must be set on api.Config.TokenFile so the consul SDK reads the file.
+	// It must NOT be set on api.Config.Token (which would use the path as a literal token).
+	require.Equal(t, tokenFile, apiCfg.TokenFile,
+		"TokenFile should be passed to api.Config.TokenFile")
+	require.Empty(t, apiCfg.Token,
+		"api.Config.Token should not be set when only TokenFile is configured")
+}
+
+func TestBuildConsulAPIConfig_Token(t *testing.T) {
+	userCfg := Config{
+		Token:              "my-secret-token",
+		ResourceAttributes: metadata.DefaultResourceAttributesConfig(),
+	}
+
+	apiCfg := buildConsulAPIConfig(userCfg)
+
+	require.Equal(t, "my-secret-token", apiCfg.Token)
+	require.Empty(t, apiCfg.TokenFile)
+}
+
+func TestBuildConsulAPIConfig_AllFields(t *testing.T) {
+	userCfg := Config{
+		Address:            "http://consul.local:8500",
+		Datacenter:         "dc2",
+		Namespace:          "team-a",
+		Token:              "direct-token",
+		ResourceAttributes: metadata.DefaultResourceAttributesConfig(),
+	}
+
+	apiCfg := buildConsulAPIConfig(userCfg)
+
+	require.Equal(t, "http://consul.local:8500", apiCfg.Address)
+	require.Equal(t, "dc2", apiCfg.Datacenter)
+	require.Equal(t, "team-a", apiCfg.Namespace)
+	require.Equal(t, "direct-token", apiCfg.Token)
+}
+
+func TestBuildConsulAPIConfig_Defaults(t *testing.T) {
+	userCfg := Config{
+		ResourceAttributes: metadata.DefaultResourceAttributesConfig(),
+	}
+
+	apiCfg := buildConsulAPIConfig(userCfg)
+
+	// When no fields are set, api.DefaultConfig() defaults should be preserved
+	defaultCfg := api.DefaultConfig()
+	require.Equal(t, defaultCfg.Address, apiCfg.Address)
+	require.Equal(t, defaultCfg.Datacenter, apiCfg.Datacenter)
+}
