Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

I don't suppose it's possible to use the fleetctl CLI with an api-only user?

I'm trying to write an automated backup solution that performs a few `fleetctl get ...` commands.

Hey Scott, API-only users do have permissions to run `fleetctl` commands.

API-only users do not have permissions to access the Fleet UI.

So I'm running into issues logging in with one. I used the API /login endpoint and grabbed the token. I then do `fleetctl config set --token` and it complains that I need to login.

I feel like I'm missing a step, but I'm not sure where.

The documentation is a bit lacking in this area.

&gt; then do `fleetctl config set --token` and it complains that I need to login.
This is unexpected. Sorry that you’re experiencing this issue.

If you’re able to, can you please include the `fleetctl config` command you ran and the output in this thread (withholding any tokens/credentials) ? This way the Fleet team can attempt to reproduce the issue.

&gt; The documentation is a bit lacking in this area.
Agreed. I filed an issue to improve the docs here: <https://github.com/fleetdm/fleet/issues/4533>

As a current workaround, you can run the `fleetctl login` command and enter the “API-only” user’s credentials when prompted.

Then, after successful login, you can run `fleetctl get` commands.

Thank you. I'm in a meeting right now, but I will get that info to you when I can.

Okay, while grabbing logs, I noticed that `force_password_reset` is `true`. I figure that's why the session is invalid. I just deleted and re-created my api-only user and that flag is still true.

That was definitely it. You can create a user in the API with that flag set to false, but not via CLI.

It is now working as expected; setting the token is all that is necessary to obtain a session.

Glad you were successful!

&gt; I noticed that `force_password_reset` is `true`
Ah, got it.

This is not an ideal experience when creating an “API-only” user via CLI because, currently, the only way to trigger this password reset (and set `force_password_reset` to `false` is by logging in via the UI.

No it's not. I would think that would default to false for api-only. It should also be configurable via CLI like it is via API. I plan to create an issue on it when I get a minute.

FYI: <https://github.com/fleetdm/fleet/issues/4540>

:thanks: for the help today <@U01DUNSE2AU>.