Only synthesize anonymous token in primary DC

agent/consul/acl_server.go

@@ -151,7 +151,7 @@ func (s *Server) ResolveIdentityFromToken(token string) (bool, structs.ACLIdenti
 	} else if aclToken != nil && !aclToken.IsExpired(time.Now()) {
 		return true, aclToken, nil
 	}
-	if aclToken == nil && token == acl.AnonymousTokenSecret {
+	if aclToken == nil && token == acl.AnonymousTokenSecret && s.InPrimaryDatacenter() {
 		// synthesize the anonymous token for early use, bootstrapping has not completed
 		s.insertAnonymousToken()
 		fallbackId := structs.ACLToken{