Title
#fleet
s

Scott Blake

03/09/2022, 2:08 PM
I don't suppose it's possible to use the fleetctl CLI with an api-only user?
2:27 PM
I'm trying to write an automated backup solution that performs a few
fleetctl get ...
commands.
Noah Talerman

Noah Talerman

03/09/2022, 2:35 PM
Hey Scott, API-only users do have permissions to run
fleetctl
commands. API-only users do not have permissions to access the Fleet UI.
s

Scott Blake

03/09/2022, 2:50 PM
So I'm running into issues logging in with one. I used the API /login endpoint and grabbed the token. I then do
fleetctl config set --token
and it complains that I need to login.
2:50 PM
I feel like I'm missing a step, but I'm not sure where.
2:50 PM
The documentation is a bit lacking in this area.
Noah Talerman

Noah Talerman

03/09/2022, 3:15 PM
then do
fleetctl config set --token
and it complains that I need to login.
This is unexpected. Sorry that you’re experiencing this issue. If you’re able to, can you please include the
fleetctl config
command you ran and the output in this thread (withholding any tokens/credentials) ? This way the Fleet team can attempt to reproduce the issue.
The documentation is a bit lacking in this area.
Agreed. I filed an issue to improve the docs here: https://github.com/fleetdm/fleet/issues/4533
3:16 PM
As a current workaround, you can run the
fleetctl login
command and enter the “API-only” user’s credentials when prompted. Then, after successful login, you can run
fleetctl get
commands.
s

Scott Blake

03/09/2022, 3:19 PM
Thank you. I'm in a meeting right now, but I will get that info to you when I can.
3:40 PM
Okay, while grabbing logs, I noticed that
force_password_reset
is
true
. I figure that's why the session is invalid. I just deleted and re-created my api-only user and that flag is still true.
3:49 PM
That was definitely it. You can create a user in the API with that flag set to false, but not via CLI.
3:51 PM
It is now working as expected; setting the token is all that is necessary to obtain a session.
Noah Talerman

Noah Talerman

03/09/2022, 4:20 PM
Glad you were successful!
I noticed that
force_password_reset
is
true
Ah, got it. This is not an ideal experience when creating an “API-only” user via CLI because, currently, the only way to trigger this password reset (and set
force_password_reset
to
false
is by logging in via the UI.
s

Scott Blake

03/09/2022, 4:44 PM
No it's not. I would think that would default to false for api-only. It should also be configurable via CLI like it is via API. I plan to create an issue on it when I get a minute.
9:35 PM
:thanks: for the help today @Noah Talerman.
Noah Talerman

Noah Talerman

03/09/2022, 10:02 PM
Thank you for filing the issue 😃