Skip to main content
Solved

Getting "Forbidden" when generating a bearer token for GitOps sync

  • March 11, 2025
  • 16 replies
  • 12 views
J

I’m really having a hard time with the GitOps sync. I’ve repeatedly followed the steps to generate a bearer token and am always getting “Forbidden” when I attempt to make the production leader sync. This has worked in the past.

mkdir -p ~/.authcurl http://<Leader-URL-or-IP>:9000/api/v1/auth/login -H 'Content-Type: application/json' -d "{\"username\":\"<username>\",\"password\":\"<password>\"}" 2>/dev/null | jq -r .token > ~/.auth/tokenexport JWT_AUTH_TOKEN=`cat ~/.auth/token`export AUTH_HEAD="Authorization:Bearer `cat ~/.auth/token`"curl -X POST "http://<Leader-URL-or-IP>:9000/api/v1/version/sync" -H "accept: application/json" -H "${AUTH_HEAD}" -d "ref=prod&deploy=true"

Any suggestions?

Best answer by nicktank

All, spoke with eng about this, there is a fix coming in 4.2.2. Unfortunately it is not a policy update we can make. The sync endpoint will be unblocked in the next release timed for next week. @Joshua Cook working on a plan for you in the interim

Also filed a story for ensuring that AD users can pull bearer tokens and use the APIs

    16 replies

    J
    • Joshua Cook
    • Author
    • Participating Frequently
    • March 11, 2025

    One other note, I started really having trouble with this after upgrading to 4.2.1

    N
    • nicktank
    • Employee
    • March 11, 2025

    This may be an issue with auth role changes in the most recent release due to our auth model changing. I’ll verify and get back to you soon.

    N
    • nicktank
    • Employee
    • March 11, 2025

    For clarity, which role does the user have that is generating the bearer token?

    J
    • Joshua Cook
    • Author
    • Participating Frequently
    • March 11, 2025

    I’m currently falling back to a local admin user to generate the bearer token

    N
    • nicktank
    • Employee
    • March 11, 2025

    Which role were you using before?

    J
    • Joshua Cook
    • Author
    • Participating Frequently
    • March 11, 2025

    Same one

    Same account, I mean

    N
    • nicktank
    • Employee
    • March 11, 2025

    Was the role admin on both accounts?

    N
    • nicktank
    • Employee
    • March 11, 2025

    I mean in both instances

    J
    • Joshua Cook
    • Author
    • Participating Frequently
    • March 11, 2025

    Yes

    In this case, I used the same account which has the admin role

    It worked before upgrading to 4.2.1

    N
    • nicktank
    • Employee
    • March 11, 2025

    No worries. I’ll be at my laptop in about an hour. Want to grab some time?

    J
    • Joshua Cook
    • Author
    • Participating Frequently
    • March 11, 2025

    Now I can’t get it to work

    I’d love some help, yes!

    N
    • nicktank
    • Employee
    • March 11, 2025

    Still 7:30am where I am. Will ping you as soon as I’m fully online.

    J
    • Joshua Cook
    • Author
    • Participating Frequently
    • March 11, 2025

    Sounds great!

    N
    • nicktank
    • Employee
    • March 11, 2025

    for this thread: the sync endpoint is returning forbidden for a local user with admin permissions. We tested this via the API tool in the prod environment UI (thanks Joshua for the time)

    Joshua also showed me that AD users are unable to fetch tokens so will file something for that to take a look

    Raanan Dagan
    • Raanan Dagan
    • Employee
    • March 11, 2025

    Support / bug .. that makes sense

    N
    • nicktank
    • Employee
    • Answer
    • March 11, 2025

    All, spoke with eng about this, there is a fix coming in 4.2.2. Unfortunately it is not a policy update we can make. The sync endpoint will be unblocked in the next release timed for next week. @Joshua Cook working on a plan for you in the interim

    Also filed a story for ensuring that AD users can pull bearer tokens and use the APIs

    Terms & ConditionsAccessibility statement