Comments (17)
jpcoenen
commented on June 15, 2024
Hi @elct9620 👋,
Thank you for your report! Looking at the error message, I think I know what happened here. Only the first 83 characters of the token (OP_CONNECT_TOKEN) got copied .
I tried reproducing this on 1Password.com and is indeed indeed possible to only select only the first part of the token if you're not using the copy button. It is difficult to notice if this is happening. So I'll file an issue internally to fix this in the web interface.
To fix your problem right now, there are two options:
- If you have saved the token to any of your vaults after creating it, you should be able to copy the full token and use that instead.
- If you did not save it, I suggest revoking the old token and generating a new one. I recommend using the copy button (see below) on the right side of the text area for now. This guarantees you're copying the full token.
Let me know if that solves it for you.
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
My terraform.tfvars contains 641 characters token. I also try to append \n after the token and the terraform's error message shows the full token in my console. But I am not sure the reason cause it didn't send the full token.
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
That does indeed correspond to the correct length of a token. What made me think that I was certain of what was wrong, was this part of the error message:
failed to ParseSigned: illegal base64 data at input byte 84
It suggests there is a problem with the token around character 84. Could check if anything unusual happens around character 84 of the token. With unusual I mean a character that is not a letter, a number, -, or _.
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
My token didn't contain the unusual character, I also try to create another token but still have the same problem.
If I append the \n at the end of the token, the terraform error message shows the full token.
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
I also try to create another token but still have the same problem.
Good you gave that a try! Did you get the exact same error in the Connect server logs for both tokens? (so (could not parse JWT), failed to ParseSigned: illegal base64 data at input byte 84)
I also did some digging into the code and I realized that the problem would not necessarily have to be around character 84 for the specific error to show. The token consists of three different parts, all separated by a .. Could you maybe also check if the characters 80-90 after any of the other two . are OK?
If that does not show anything, we should check if it is something specific to Terraform. Would it be possible to give the following cURL a try? Does that return the exact same error? (also in Connect's logs)
OP_CONNECT_TOKEN=<your token>
curl -H "Authorization: Bearer $OP_CONNECT_TOKEN" http://172.31.1.175:8080/v1/vaults
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
Each token I generated is unable to use terraform to send the API request. But these tokens can correctly call the API via curl because I use the same token to find my vault id.
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
Okay, good to know it is Terraform-only. That helps a lot.
Let's dive a bit deeper to see what is going on. Could you maybe share the Terraform code and terraform.tfvars you are using? You can replace any sensitive values with a placeholder (e.g. <token>).
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
My terraform.tfvars
cloudflare_api_token="<token>"
do_token="<token>"
onepassword_token="<token>"
onepassword_url="http://172.31.1.175:8080"
onepassword_vault="<vault_id>"
The terraform I am using for the test
variable "onepassword_url" {
description = "1Password Connect Server URL"
}
variable "onepassword_token" {
description = "1Password Connect Access Token"
}
provider "onepassword" {
url = var.onepassword_url
token = var.onepassword_token
}
variable "onepassword_vault" {
description = "1Password Vault for Database"
}
resource "onepassword_item" "demo_password" {
vault = var.onepassword_vault
title = "Demo Password Recipe"
category = "password"
password_recipe {
length = 40
symbols = false
}
}
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
That code seems to be okay 😃 Unfortunately that also means I am having some troubles reproducing the issue locally. I am going to ask around to see if anyone else has some suggestions what is going on here.
One thing you could check in the meantime is if, by any chance, the last character of the token is missing. That is another way to get this exact (illegal base64 data at input byte 84) error.
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
Oops, I double-check my token it missing one character in my terraform.tfvars. But after fixing it, I still get 401 error return from API. But the curl can work correctly with the same token.
The logs from my docker
2021-05-26 15:11:33 | stdout | {"log_message":"(I) POST /v1/vaults/bmtferd2cmdmi6ejx5jelmu4xy/items completed (401: Unauthorized)","timestamp":"2021-05-26T15:11:33.688914562Z","level":3,"scope":{"request_id":"335f7d1e-a394-45c3-a344-6be5b1cf2faa","jti":"wo2zrshxvkbclcky36zpulfvmi"}}
-- | -- | --
2021-05-26 15:11:33 | stdout | {"log_message":"(I) POST /v1/vaults/bmtferd2cmdmi6ejx5jelmu4xy/items","timestamp":"2021-05-26T15:11:33.677286661Z","level":3,"scope":{"request_id":"335f7d1e-a394-45c3-a344-6be5b1cf2faa"}}
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
We're getting somewhere now!
Could it be that the token only has read access to the vault you're using? Version 1.1 of Connect returns a 401 in that case, including a message that this is the case. Unfortunately, our Go SDK (and therefore the Terraform Provider) does not present this message to you, yet. Getting this fixed, is in the works.
If this is not the solution, a way to get the message behind the error (while the SDK is not updated), is performing a POST through cURL:
curl -X POST -H "Authorization: Bearer $OP_TOKEN" http://172.31.1.175:8080/v1/vaults/bmtferd2cmdmi6ejx5jelmu4xy/items | jq
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
When I use curl to send the POST request, it returns a 401 error. The config in my 1Password vault already gives full access to this token.
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
When I use curl to send the POST request, it returns a 401 error. The config in my 1Password vault already gives full access to this token.
Could you share the exact response? The included message field (or lack thereof) would be helpful in finding a solution.
For example, this is what I got from performing the request with a read-only token (it should show a different message in your case):
$ curl -X POST -H "Authorization: Bearer $OP_TOKEN" http://localhost:8080/v1/vaults/dj8290av5i7gextkqv45g7algw4/items | jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 94 100 94 0 0 92 0 0:00:01 0:00:01 --:--:-- 92
{
"status": 401,
"message": "Unauthorized Request, token does not have write access to the Vault"
}
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
The message return from my connect api server
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 94 100 94 0 0 5529 0 --:--:-- --:--:-- --:--:-- 5529
{
"status" => 401,
"message" => "Unauthorized Request, token does not have write access to the Vault"
}
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
It looks like the token does not have write access to the vault. The Connect instance and Access Token must both have write access to the vault.
You can check this, by unfolding the details of the token on the Connect details page. The vault you're using should be listed as Read, Write for the access token:
And it should also be listed as Read, Write for the Connect instance itself:
For the Connect instance, you can click the gear to change the permissions. If the write permission is missing for the Access Token, you can best create a new token write read + write permissions. Make sure to enable both read and write after selecting the vault:
Let me know if that helps 😊
from terraform-provider-onepassword.
elct9620
commented on June 15, 2024
Oh, I notice my token is read-only. The new token works correctly, thanks.
from terraform-provider-onepassword.
jpcoenen
commented on June 15, 2024
Awesome! Glad you got it to work 👍
from terraform-provider-onepassword.
Related Issues (20)
- Cannot read from more than 5 vaults HOT 1
- Item's are recreated whenever the item's vault is the vault's title HOT 1
- Feature Request: Item Files HOT 1
- Feature Request: Support managing item attributes that have their own lifecycle HOT 1
- Feature Request: Password Rotation HOT 1
- Feature Request: Support RFC3339 as input for fields of type DATE and MONTH_YEAR HOT 1
- Potential data loss when using multiline fields HOT 2
- Field of type 'DATE' updates item even if there were no changes HOT 1
- Entry is created with wrong password HOT 3
- biometric unlock many times HOT 2
- Run provider on Terraform Cloud HOT 4
- Triggering the changes on the unchanged resource HOT 1
- Terraform plugin throws version error with op CLI HOT 1
- Provider doesn't work with beta CLI version HOT 1
- Support for Secure Note HOT 1
- If I use the vault name when defining an item, and rerun terraform, it wants to recreate the item as it has a diff with the vault name versus vault UUID HOT 1
- onepassword_item tags not in alphabetical order have constant diffs
- Terraform Resource for 1Password Vaults
- onepassword_item with login category, cannot remove the password box in 1password unless the password parameter is commented out
- Code check should not warn "Unresolved reference uuid" for data onepassword_vault
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-onepassword.