We have updated our Terms of Service, Code of Conduct, and Addendum.

Getting "Forbidden" when generating a bearer token for GitOps sync

Options

I’m really having a hard time with the GitOps sync. I’ve repeatedly followed the steps to generate a bearer token and am always getting “Forbidden” when I attempt to make the production leader sync. This has worked in the past.

mkdir -p ~/.auth

curl http://<Leader-URL-or-IP>:9000/api/v1/auth/login -H 'Content-Type: application/json' -d "{\"username\":\"<username>\",\"password\":\"<password>\"}" 2>/dev/null | jq -r .token > ~/.auth/token

export JWT_AUTH_TOKEN=`cat ~/.auth/token`

export AUTH_HEAD="Authorization:Bearer `cat ~/.auth/token`"

curl -X POST "http://<Leader-URL-or-IP>:9000/api/v1/version/sync" -H "accept: application/json" -H "${AUTH_HEAD}" -d "ref=prod&deploy=true"

Any suggestions?

Best Answer

  • nicktank
    nicktank Posts: 26 mod
    Answer ✓
    Options

    All, spoke with eng about this, there is a fix coming in 4.2.2. Unfortunately it is not a policy update we can make. The sync endpoint will be unblocked in the next release timed for next week. @Joshua Cook working on a plan for you in the interim

    Also filed a story for ensuring that AD users can pull bearer tokens and use the APIs

Answers

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    One other note, I started really having trouble with this after upgrading to 4.2.1

  • nicktank
    nicktank Posts: 26 mod
    Options

    This may be an issue with auth role changes in the most recent release due to our auth model changing. I’ll verify and get back to you soon.

  • nicktank
    nicktank Posts: 26 mod
    Options

    For clarity, which role does the user have that is generating the bearer token?

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    I’m currently falling back to a local admin user to generate the bearer token

  • nicktank
    nicktank Posts: 26 mod
    Options

    Which role were you using before?

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    Same one

    Same account, I mean

  • nicktank
    nicktank Posts: 26 mod
    Options

    Was the role admin on both accounts?

  • nicktank
    nicktank Posts: 26 mod
    Options

    I mean in both instances

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    Yes

    In this case, I used the same account which has the admin role

    It worked before upgrading to 4.2.1

  • nicktank
    nicktank Posts: 26 mod
    Options

    No worries. I’ll be at my laptop in about an hour. Want to grab some time?

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    Now I can’t get it to work

    I’d love some help, yes!

  • nicktank
    nicktank Posts: 26 mod
    Options

    Still 7:30am where I am. Will ping you as soon as I’m fully online.

  • Joshua Cook
    Joshua Cook Posts: 11
    Options

    Sounds great!

  • nicktank
    nicktank Posts: 26 mod
    Options

    for this thread: the sync endpoint is returning forbidden for a local user with admin permissions. We tested this via the API tool in the prod environment UI (thanks Joshua for the time)

    Joshua also showed me that AD users are unable to fetch tokens so will file something for that to take a look

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod
    Options

    Support / bug .. that makes sense

  • nicktank
    nicktank Posts: 26 mod
    Answer ✓
    Options

    All, spoke with eng about this, there is a fix coming in 4.2.2. Unfortunately it is not a policy update we can make. The sync endpoint will be unblocked in the next release timed for next week. @Joshua Cook working on a plan for you in the interim

    Also filed a story for ensuring that AD users can pull bearer tokens and use the APIs