diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0090c797bc..75b5cce974 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## UNRELEASED
 
+BUG FIXES:
+* Control plane
+  * Use global ACL auth method to provision ACL tokens for API Gateway in secondary datacenter [[GH-1481](https://github.com/hashicorp/consul-k8s/pull/1481)]
+
 ## 0.48.0 (September 01, 2022)
 
 FEATURES:
diff --git a/control-plane/subcommand/server-acl-init/command.go b/control-plane/subcommand/server-acl-init/command.go
index 69a98a28d8..9f54feac20 100644
--- a/control-plane/subcommand/server-acl-init/command.go
+++ b/control-plane/subcommand/server-acl-init/command.go
@@ -592,7 +592,16 @@ func (c *Command) Run(args []string) int {
 			return 1
 		}
 		serviceAccountName := c.withPrefix("api-gateway-controller")
-		if err := c.createACLPolicyRoleAndBindingRule("api-gateway-controller", rules, consulDC, primaryDC, localPolicy, primary, localComponentAuthMethodName, serviceAccountName, consulClient); err != nil {
+
+		// API gateways require a global policy/token because they must
+		// create config-entry resources in the primary, even when deployed
+		// to a secondary datacenter
+		authMethodName := localComponentAuthMethodName
+		if !primary {
+			authMethodName = globalComponentAuthMethodName
+		}
+		err = c.createACLPolicyRoleAndBindingRule("api-gateway-controller", rules, consulDC, primaryDC, globalPolicy, primary, authMethodName, serviceAccountName, consulClient)
+		if err != nil {
 			c.log.Error(err.Error())
 			return 1
 		}
diff --git a/control-plane/subcommand/server-acl-init/command_test.go b/control-plane/subcommand/server-acl-init/command_test.go
index a89fbe2328..83fa50b3b7 100644
--- a/control-plane/subcommand/server-acl-init/command_test.go
+++ b/control-plane/subcommand/server-acl-init/command_test.go
@@ -2291,7 +2291,7 @@ func TestRun_PoliciesAndBindingRulesACLLogin_SecondaryDatacenter(t *testing.T) {
 			TokenFlags:       []string{"-api-gateway-controller"},
 			PolicyNames:      []string{"api-gateway-controller-policy-" + secondaryDatacenter},
 			Roles:            []string{resourcePrefix + "-api-gateway-controller-acl-role-" + secondaryDatacenter},
-			GlobalAuthMethod: false,
+			GlobalAuthMethod: true,
 		},
 		{
 			TestName:         "Snapshot Agent",
@@ -2599,8 +2599,8 @@ func TestRun_ValidateLoginToken_SecondaryDatacenter(t *testing.T) {
 			ComponentName:    "api-gateway-controller",
 			TokenFlags:       []string{"-api-gateway-controller"},
 			Roles:            []string{resourcePrefix + "-api-gateway-controller-acl-role-dc2"},
-			GlobalAuthMethod: false,
-			GlobalToken:      false,
+			GlobalAuthMethod: true,
+			GlobalToken:      true,
 		},
 		{
 			ComponentName:    "snapshot-agent",