New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't login with Rancher CLI in Rancher 2.2.x when API key is cluster scoped #18639
Comments
I found it. It will not work if a scope is selected when adding an API Key. |
I really hoped this wasn't the case 😢 If you scope the api key, you can't login with it? How does that work? |
I have also got this problem! |
Cluster-scoped token's primary intended use is for communicating with the kubernetes API for a specific cluster. |
I'm also running into this issue. It wasn't an issue in 2.2.1 |
same problem here with rancher server v2.2.2. Selecting no scope did the trick. |
Should be fixed in v2.2.3-rc8 release candidate #20031 and latest master build. -- The change makes it more clear in the UI what the cluster-scoped tokens can and cannot do. |
Version: Master (v2.3) (5/13/19) This change makes it more clear in the UI via %editApiKey.scopeSelect.helpText% what cluster-scoped tokens can and cannot do. This helper text also links directly to documentation for Authorized Cluster Endpoint via https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint |
I think that the help text is missing a key word - "only" - that I think is necessary for complete avoidance of doubt. As in "Cluster-scoped tokens can only be used to interact directly with the Kubernetes API of clusters configured with an Authorized Cluster Endpoint". |
I am still confused what is the conclusion. Are scoped API keys not supported with the Rancher CLI tool yes or no? |
The CLI does not work with cluster-scoped tokens. The changes made here were (only) to clarify that. |
Is this a feature or should this change? Or can we change where the CLI points so that our cluster-scoped tokens succeed? |
Just to let you know that this is also affecting the Terraform provider, as it does not allow the usage of scoped tokens. It would be nice, because I don't want for Terraform to have access to things outside the designed deployemt scope. |
hit the same problem on rancher version 2.7.4 |
version v2.7.9 the same problem |
What kind of request is this (question/bug/enhancement/feature request):
bug
Steps to reproduce (least amount of steps as possible):
I just installed(clean install) Rancher 2.2.0-rc2 and I did try to login using Rancher CLI v2.2.0-rc9
Result:
level=fatal msg="Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=clusterID does not match]
Other details that may be helpful:
Environment information
Rancher version (
rancher/rancher
/rancher/server
image tag or shown bottom left in the UI):2.2.0-rc2
Installation option (single install/HA):
single
Cluster information
Cluster type (Hosted/Infrastructure Provider/Custom/Imported):
Infrastructure provider (Digital Ocean)
Machine type (cloud/VM/metal) and specifications (CPU/memory):
Cloud. 4GB memory and 2vCPUs
Kubernetes version (use
kubectl version
):!!! Note: This kubectl version is from my pc. !!!
docker version
):The text was updated successfully, but these errors were encountered: