diff --git a/CHANGELOG b/CHANGELOG
index f00f69f..9cf9cc9 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+* Tue Jul 18 2017 Dylan Cochran <dylan.cochran@onyxpoint.com> - 0.4.0
+- (SIMP-3275) libkv auto-config uses the root acl
+
 * Tue Jul 11 2017 Dylan Cochran <dylan.cochran@onyxpoint.com> - 0.3.3
 - (SIMP-3406) Fix docker containers for travisci
 - (SIMP-3128) Delete .meta keys
diff --git a/files/consul/consul-acl b/files/consul/consul-acl
new file mode 100755
index 0000000..9da60f5
--- /dev/null
+++ b/files/consul/consul-acl
@@ -0,0 +1,133 @@
+#!/bin/sh
+
+# Give consul some time to attempt a join, then realize it's bootstrapping
+# a new cluster
+sleep 10
+
+gen_agent_acl() {
+  CLIENTCERT=$1
+  shift
+  NODENAME=$1
+  if [ "${NODENAME}" = "" ] ; then
+    NODENAME="${CLIENTCERT}"
+  fi
+  POLICY='{
+  "Name": "%%CLIENTCERT%%",
+  "Type": "client",
+  "Rules": "{
+	\"key\":{
+		\"\":{
+			\"policy\":\"write\"
+		},
+		\"puppet/\":{
+			\"policy\":\"deny\"
+		}
+	},
+	\"operator\":\"read\"
+       ,
+	\"node\":{
+		\"\":{
+			\"policy\":\"read\"
+		},
+		\"%%NODENAME%%\":{
+			\"policy\":\"write\"
+		}
+	}
+	,
+	\"agent\":{
+		\"\":{
+			\"policy\":\"read\"
+		},
+		\"%%NODENAME%%\":{
+			\"policy\":\"write\"
+		}
+	}
+	,
+	\"event\":{
+		\"\":{
+			\"policy\":\"read\"
+		}
+	}
+	,
+	\"service\":{
+		\"\":{
+			\"policy\":\"read\"
+		},
+		\"%%NODENAME%%\":{
+			\"policy\":\"write\"
+		}
+	}
+	,
+	\"session\":{
+		\"\":{
+			\"policy\":\"read\"
+		},
+		\"%%NODENAME%%\":{
+			\"policy\":\"write\"
+		}
+	}
+  }"
+}'
+  echo "${POLICY}" | grep -v ^# | tr -d '\t' | tr -d '\n' | sed s@%%NODENAME%%@${NODENAME}@g | sed s@%%CLIENTCERT%%@${CLIENTCERT}@g
+}
+
+gen_token() {
+
+	case "${TYPE}" in
+		libkv)
+			POLICY='{
+  "Name": "libkv-acl",
+  "Type": "client",
+  "Rules": "{\"key\":{\"puppet/\":{\"policy\":\"write\"}},\"operator\":\"read\"}"
+}'
+			;;
+		agent)
+			POLICY="$(gen_agent_acl "${CLIENTCERT}" "${NODENAME}")"
+			;;
+	esac
+        if [ "${OUTPUTFILE}" = "" ] ; then
+		curl -s --request PUT --data "${POLICY}" -q http://localhost:8500/v1/acl/create?token="${TOKEN}" | cut -d '"' -f 4
+	else
+		curl -s --request PUT --data "${POLICY}" -q http://localhost:8500/v1/acl/create?token="${TOKEN}" | cut -d '"' -f 4 >${OUTPUTFILE}
+	fi
+}
+
+get_token() {
+	curl -s --request GET  -q http://localhost:8500/v1/acl/list
+}
+
+while getopts ":t:m:o:" o; do
+    case "${o}" in
+        t)
+            export TYPE=${OPTARG}
+            ;;
+        m)
+            export MASTER_TOKEN_PATH=${OPTARG}
+            ;;
+        o)
+            export OUTPUTFILE=${OPTARG}
+            ;;
+    esac
+done
+
+if [ "${TYPE}" = "" ] ; then
+export TYPE="libkv"
+fi
+if [ "${MASTER_TOKEN_PATH}" = "" ] ; then
+export  MASTER_TOKEN_PATH="/etc/simp/bootstrap/consul/master_token"
+fi
+
+export TOKEN=$(cat ${MASTER_TOKEN_PATH})
+
+shift $((OPTIND-1))
+export METHOD=$1
+shift
+export CLIENTCERT=$1
+shift
+export NODENAME=$1
+
+case "${METHOD}" in
+   gen)
+      gen_token
+      ;;
+esac
diff --git a/files/consul/consul-create-acl b/files/consul/consul-create-acl
index 7820ded..7ab8639 100644
--- a/files/consul/consul-create-acl
+++ b/files/consul/consul-create-acl
@@ -30,8 +30,8 @@ case "${TYPE}" in
 	agent)
 		POLICY='{
   "Name": "agent-acl",
-  "Taype": "client",
-  "Rules": "{\"key\":{\"\":{\"policy\":\"write\"}, \"puppet/\":{\"policy\":\"deny\"}},\"operator\":\"read\"}"
+  "Type": "client",
+  "Rules": "{\"key\":{\"\":{\"policy\":\"write\"}, \"puppet/\":{\"policy\":\"deny\"}},\"operator\":\"read\", \"node\":{\"\":{\"policy\":\"write\"}}, \"agent\":{\"policy\":\"write\"}, \"event\":{ \"\":{\"policy\":\"read\"}} }"
 }'
 		;;
 esac
diff --git a/manifests/consul.pp b/manifests/consul.pp
index 1d44fde..70bf802 100644
--- a/manifests/consul.pp
+++ b/manifests/consul.pp
@@ -17,6 +17,7 @@
   $private_file_name = undef,
   $cert_file_name = undef,
   $config_hash = undef,
+  $agent_token = undef,
 ) {
   if ($firewall) {
     $ports = [
@@ -43,6 +44,10 @@
     if ($facts["consul_bootstrap"] == "true") {
       $_bootstrap_hash = { "bootstrap_expect" => 1 }
       ## Create real token
+      file { "/usr/bin/consul-acl":
+        mode   => "a+x",
+        source => "puppet:///modules/libkv/consul/consul-acl"
+      } ->
       file { "/usr/bin/consul-create-acl":
         mode   => "a+x",
         source => "puppet:///modules/libkv/consul/consul-create-acl"
@@ -50,16 +55,16 @@
       exec { "/usr/bin/consul-create-acl -t libkv /etc/simp/bootstrap/consul/master_token /etc/simp/bootstrap/consul/libkv_token":
         creates => "/etc/simp/bootstrap/consul/libkv_token",
         require => [
-		Service['consul'],
-		File["/usr/bin/consul-create-acl"],
-	],
+          Service['consul'],
+          File["/usr/bin/consul-create-acl"],
+        ],
       }
       exec { "/usr/bin/consul-create-acl -t agent_token /etc/simp/bootstrap/consul/master_token /etc/simp/bootstrap/consul/agent_token":
         creates => "/etc/simp/bootstrap/consul/agent_token",
         require => [
-		Service['consul'],
-		File["/usr/bin/consul-create-acl"],
-	],
+          Service['consul'],
+          File["/usr/bin/consul-create-acl"],
+        ],
       }
     } else {
       $_bootstrap_hash = {}
@@ -91,22 +96,47 @@
   } else {
     $_key_hash = {}
   }
+  if ($agent_token == undef) {
   $master_token_path = '/etc/simp/bootstrap/consul/master_token'
   $master_token = file($master_token_path, "/dev/null")
-  if ($master_token != undef) {
-    $_token_hash = { 
-    "acl_master_token" => $master_token.chomp,
-    "acl_token"        => $master_token.chomp,
+  if ($server == true) {
+    if ($master_token != undef) {
+      $_token_hash = { 
+      "acl_master_token" => $master_token.chomp,
+      "acl_token"        => $master_token.chomp,
+      }
+    } else {
+      $_token_hash = {}
     }
   } else {
-    $_token_hash = {}
+    $_agent_token = libkv::get({"softfail" => true, "key" => "/simp/libkv/consul/acls/${::clientcert}-${::hostname}"})
+    if ($_agent_token != undef) {
+      $_token_hash = { 
+      "acl_token"        => $_agent_token.chomp,
+      }
+    } else {
+      $try_agent_token = generate("/usr/bin/consul-acl", "-t", "agent",  "gen", "${::clientcert}", "${::hostname}").chomp
+      if ($try_agent_token != "") {
+        $result = libkv::put({"softfail" => true, "key" => "/simp/libkv/consul/acls/${::clientcert}-${::hostname}", "value" => $try_agent_token.chomp})
+        $_token_hash = {
+          "acl_token" => $try_agent_token.chomp,
+        }
+      } else {
+        $_token_hash = {}
+      }
+    }
+  }
+  } else {
+    $_token_hash = {
+      "acl_token" => $agent_token,
+    }
   }
   if ($use_puppet_pki == true) {
     if ($bootstrap == false) {
       if (!defined(File['/etc/simp'])) {
-      file { "/etc/simp":
-        ensure => directory,
-      }
+        file { "/etc/simp":
+          ensure => directory,
+        }
       }
     }
     file { "/etc/simp/consul":