Account API Keys with Github Access Control

shawnHartsell · October 26, 2016, 5:42pm

As part of my company’s CI/CD pipeline, we have built a web service that manages the deployments of Rancher stacks across multiple environments. To achieve this we do the following:

The service is configured to use an account API key and secret. The service uses this to access the Rancher API
The service makes an API calls to Rancher to get the environments the account has access to via /v1/projects
The account is explicit given “Member” access to our environments

This pattern works well most of the time. However, we have noticed that there are several situations where the call to the projects endpoint is authenticated, but the payload returned is empty. Based on some preliminary tests, we have seen that if we log back into the Rancher UI with the user account, the API will eventually return the environments we expect.

Below is some information about our Rancher instance:

Version: 1.1.1
Access Control: GitHub (the account we generated the key for is part of our GitHub organization)

Is this a known issue with using Account API keys with GitHub access control? I haven’t noticed the same situation when running tests against a local Rancher instance using the default access control method. I also didn’t find any issue in the Rancher repository.

Thanks

shawnHartsell · October 31, 2016, 6:40pm

Bump…is anyone else having this issue?

aemneina · November 3, 2016, 8:36pm

hey @shawnHartsell we have an engineer checking to see if the api key is tied to the github token… will report back on the findings.

johnrengelman · November 7, 2016, 9:26pm

We have also seen this exact same behavior.

aemneina · November 8, 2016, 11:17pm

Looks like the github token is directly related to the user api key validity. One could extend this by editing https://RANCHER_URL/v1/activesettings/1as!api.auth.jwt.token.expiry

Let me know if that solves it for you.

vincent · November 8, 2016, 11:43pm

Uh, no… creating auth tokens with long lifetimes is a bad idea, and is unrelated to the github token, which is good forever. If the github token needs to be refreshed every 16 hours that’s a bug.

shawnHartsell · November 8, 2016, 11:56pm

I agree with Vincent, I don’t think it would be a good idea from a security
perspective to do that, even if we can somehow localize it to an individual
account.

aemneina · November 9, 2016, 12:42am

I’ll file a bug for this

shawnHartsell · November 9, 2016, 2:55pm

Is there a work around for this issue besides what’s already been mentioned? Is there a way to set up a local user account (with GitHub access control still enabled) via the REST API and use those account API keys?

Topic		Replies	Views
Rancher-compose and Account API Keys Rancher 1.x	8	1804	May 6, 2016
API key for all environments? Rancher 1.x	9	3244	June 17, 2016
GitHub Access Control API and Admin User Rancher 1.x	5	1070	August 8, 2017
Automate Access Control and API key creation Rancher 1.x	8	2143	January 10, 2018
Which API Key to use when creating new Accounts	2	1307	May 5, 2016

Account API Keys with Github Access Control

Related topics