This script creates a botstrap acl token, then creates a policy for both agent tokens and vault client tokens, then finaly the tokns respectively

Cconsul_acl_token_privisoner.sh

#!/bin/bash

export CONSUL_HTTP_ADDR=https://10.201.44.11:8501
export CONSUL_CACERT=/etc/consul.d/tls/consul-agent-ca.pem
export CONSUL_CLIENT_CERT=/etc/consul.d/tls/dc1-cli-consul-0.pem
export CONSUL_CLIENT_KEY=/etc/consul.d/tls/dc1-cli-consul-0-key.pem

AGENT_POLICY_NAME="agent-acl-policy"
CLIENT_POLICY_TOKEN="vault-acl-policy"

SECRETID=$(consul acl bootstrap | grep SecretID:) 
RAW_SECRET_ID=$(printf '%s\n' "${SecretID//SecretID: /}")
echo $RAW_SECRET_ID > mgmt-SecretID
export CONSUL_HTTP_TOKEN=$RAW_SECRET_ID

consul acl policy create \
    -name="$AGENT_POLICY_NAME" \
    -rules=@/etc/consul.d/acl/agent_policy.hcl 

consul acl token create \
    -description="agent acl token" \
    -policy-name="$AGENT_POLICY_NAME" \
    > /etc/consul.d/acl/agent-Token

consul acl policy create \
    - name="$CLIENT_POLICY_TOKEN" \
    -rules=@/etc/consul.d/acl/vault_policy_hcl

consul acl token create \
    -description="vault acl token" \
    -policy-name="$CLIENT_POLICY_TOKEN" \
    > /etc/consul.d/acl/vault-Token