Title
#fleet
r

Ryan

07/28/2021, 6:34 PM
Has anyone seen a situation where the CLI context (API token) seems to stop working? We have it configured in
/root/.fleet/config
and when running
fleetctl
commands it should allow auth with that token, and it works for a bit, then stops working again:
$ fleetctl get labels --yaml
could not list labels: get labels received status 401 Authentication required: Authentication required
6:47 PM
Seems that maybe the token is expired if I log out of the web interface. Is there a way to generate one that persists? Explanation is there's an 'admin' user which has the token, but end-users are logging in with their own users. So I logged in as 'admin', generated the token, tested it (it worked) then I logged out, so I could log back in as myself.
Rachel Perkins

Rachel Perkins

07/28/2021, 10:25 PM
Upgrade Fleet to 4.x would invalidate your API token. The upgrade section talks about major changes that you might want to be aware of: https://github.com/fleetdm/fleet/releases/tag/v4.0.0 This won't happen on future updates. Let us know if you haven't recently upgraded or are still having trouble so we could figure this out!
r

Ryan

07/29/2021, 9:36 AM
Hi @Rachel Perkins yeah I regenerated the token from 4.x, but the same issue seems to happen, when I log out, the token seems to get invalidated.
9:53 AM
This time I regenerated it, then rather than logging out, I went back to
/login
and logged in as my main user, this time the token seems to remain valid. Is it possible the logout call is invalidating the session and API tokens?
Rachel Perkins

Rachel Perkins

07/29/2021, 4:10 PM
Ack! Yes, logging out does invalidate the token. Try using SSO if you haven't already or another work around is using 
fleetctl login
 and that will generate a separate session than the UIs-- let me know if it works!
r

Ryan

07/30/2021, 10:09 AM
Ah right, well for now I did my little "cheat" above, but since we're pushing these configs out via configuration management, it's a bit of a pain if there's no way to generate a more "permanent" token.
Rachel Perkins

Rachel Perkins

07/30/2021, 9:16 PM
You can config the expiration but unfortunately not the invalidation on logout. Take a look at the fleet server configure docs
r

Ryan

08/31/2021, 9:48 AM
ok thanks!