ACL token is not used when importing externalized configuration

[onyn]

My spring boot application extensively use externalized configuration feature. Configuration stored in:

1. bootstrap.yml
2. application.yml
3. SPRING_APPLICATION_JSON environment variable (only in production)
4. Consul KV

Since boot 2.4 bootstrap.yml is deprecated. So I update my application for using new spring.config.import configuration option.

My updated configuration:

application.yml

spring:
  application:
    name: myapp
  cloud:
    # Consul integration initially disabled for easier local development.
    # On production consul enabled with SPRING_APPLICATION_JSON.
    consul:
      enabled: false
      config:
        enabled: false
        format: YAML
  config:
    import: "consul:"

SPRING_APPLICATION_JSON

{
  "spring": {
    "cloud": {
      "consul": {
        "enabled": true,
        "token": "2b8d6819-0fb2-4e4f-b80c-bf24f922277b",
        "host": "192.168.23.3",
        "config": {
          "enabled": true
        }
      }
    }
  }
}

This configuration doesn't work. Configuration from consul not imported.

After some debugging I found that ACL token is not used for import process. My consul have ACL configured and returns 404 Not Found for kv requests without ACL token. I figured it out via tcpdump:

http dump

This request originates from spring application

GET /v1/kv/config/myapp,default/?recurse HTTP/1.1
Host: 192.168.23.3:8500
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.5.13 (Java/17)
Accept-Encoding: gzip,deflate

HTTP/1.1 404 Not Found
Vary: Accept-Encoding
X-Consul-Default-Acl-Policy: deny
X-Consul-Index: 12017234
X-Consul-Knownleader: true
X-Consul-Lastcontact: 0
X-Consul-Query-Backend: blocking-query
Date: Thu, 10 Feb 2022 13:12:54 GMT
Content-Length: 0

Also I confirmed this by inspecting ConsulConfigProperties object during config loading phase:

screenshot

Complete, minimal, verifiable sample.