Account API Keys with Github Access Control

As part of my company’s CI/CD pipeline, we have built a web service that manages the deployments of Rancher stacks across multiple environments. To achieve this we do the following:

  • The service is configured to use an account API key and secret. The service uses this to access the Rancher API
  • The service makes an API calls to Rancher to get the environments the account has access to via /v1/projects
  • The account is explicit given “Member” access to our environments

This pattern works well most of the time. However, we have noticed that there are several situations where the call to the projects endpoint is authenticated, but the payload returned is empty. Based on some preliminary tests, we have seen that if we log back into the Rancher UI with the user account, the API will eventually return the environments we expect.

Below is some information about our Rancher instance:

Version: 1.1.1
Access Control: GitHub (the account we generated the key for is part of our GitHub organization)

Is this a known issue with using Account API keys with GitHub access control? I haven’t noticed the same situation when running tests against a local Rancher instance using the default access control method. I also didn’t find any issue in the Rancher repository.

Thanks :slight_smile:

Bump…is anyone else having this issue?

hey @shawnHartsell we have an engineer checking to see if the api key is tied to the github token… will report back on the findings.

We have also seen this exact same behavior.

Looks like the github token is directly related to the user api key validity. One could extend this by editing https://RANCHER_URL/v1/activesettings/1as!api.auth.jwt.token.expiry

Let me know if that solves it for you.

Uh, no… creating auth tokens with long lifetimes is a bad idea, and is unrelated to the github token, which is good forever. If the github token needs to be refreshed every 16 hours that’s a bug.

I agree with Vincent, I don’t think it would be a good idea from a security
perspective to do that, even if we can somehow localize it to an individual

I’ll file a bug for this

Is there a work around for this issue besides what’s already been mentioned? Is there a way to set up a local user account (with GitHub access control still enabled) via the REST API and use those account API keys?