Can't login with Rancher CLI in Rancher 2.2.x when API key is cluster scoped

[devfelipereis]

What kind of request is this (question/bug/enhancement/feature request):
bug

Steps to reproduce (least amount of steps as possible):
I just installed(clean install) Rancher 2.2.0-rc2 and I did try to login using Rancher CLI v2.2.0-rc9

Result:
level=fatal msg="Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=clusterID does not match]

Other details that may be helpful:

Environment information

• Rancher version (rancher/rancher/rancher/server image tag or shown bottom left in the UI):
  2.2.0-rc2

• Installation option (single install/HA):
  single

Cluster information

• Cluster type (Hosted/Infrastructure Provider/Custom/Imported):
  Infrastructure provider (Digital Ocean)

• Machine type (cloud/VM/metal) and specifications (CPU/memory):
  Cloud. 4GB memory and 2vCPUs

• Kubernetes version (use kubectl version):

!!! Note: This kubectl version is from my pc. !!!

Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.4", GitCommit:"c27b913fddd1a6c480c229191a087698aa92f0b1", GitTreeState:"clean", BuildDate:"2019-02-28T13:37:52Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.1", GitCommit:"eec55b9ba98609a46fee712359c7b5b365bdd920", GitTreeState:"clean", BuildDate:"2018-12-13T10:31:33Z", GoVersion:"go1.11.2", Compiler:"gc", Platform:"linux/amd64"}

• Docker version (use docker version):

Client:
 Version:           18.09.3
 API version:       1.39
 Go version:        go1.10.8
 Git commit:        774a1f4
 Built:             Thu Feb 28 06:53:11 2019
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          18.09.3
  API version:      1.39 (minimum version 1.12)
  Go version:       go1.10.8
  Git commit:       774a1f4
  Built:            Thu Feb 28 05:59:55 2019
  OS/Arch:          linux/amd64
  Experimental:     false

[devfelipereis]

I found it.

It will not work if a scope is selected when adding an API Key.

[Nuxij]

I really hoped this wasn't the case 😢 If you scope the api key, you can't login with it? How does that work?

[PaulVerhoeven1]

I have also got this problem!

[cjellick]

Cluster-scoped token's primary intended use is for communicating with the kubernetes API for a specific cluster.
It also works for Rancher api calls that fall under the cluster endopint. This means a token scoped to cluster c-1234 will work for everything under /v3/clusters/c-1234. The problem is that the cli currently makes calls that are outside of that scope endpoint (directly under /v3).

[gaby]

I'm also running into this issue. It wasn't an issue in 2.2.1

[execthis]

same problem here with rancher server v2.2.2. Selecting no scope did the trick.

[davidnuzik]

Should be fixed in v2.2.3-rc8 release candidate #20031 and latest master build. -- The change makes it more clear in the UI what the cluster-scoped tokens can and cannot do.

[davidnuzik]

Version: Master (v2.3) (5/13/19)

This change makes it more clear in the UI via %editApiKey.scopeSelect.helpText% what cluster-scoped tokens can and cannot do.

This helper text also links directly to documentation for Authorized Cluster Endpoint via https://rancher.com/docs/rancher/v2.x/en/cluster-provisioning/rke-clusters/options/#authorized-cluster-endpoint

[mkjpryor-stfc]

@davidnuzik

I think that the help text is missing a key word - "only" - that I think is necessary for complete avoidance of doubt.

As in "Cluster-scoped tokens can only be used to interact directly with the Kubernetes API of clusters configured with an Authorized Cluster Endpoint".

[hholst80]

I am still confused what is the conclusion.

Are scoped API keys not supported with the Rancher CLI tool yes or no?

[vincent99]

The CLI does not work with cluster-scoped tokens. The changes made here were (only) to clarify that.

[jef]

Is this a feature or should this change? Or can we change where the CLI points so that our cluster-scoped tokens succeed?

[laloyalo]

Just to let you know that this is also affecting the Terraform provider, as it does not allow the usage of scoped tokens. It would be nice, because I don't want for Terraform to have access to things outside the designed deployemt scope.

[MisderGAO]

hit the same problem on rancher version 2.7.4

[kamil-j-kion]

version v2.7.9 the same problem