Skip to content

[Bug] Cannot authenticate with user apikey #415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pyranja opened this issue Sep 4, 2023 · 4 comments
Open

[Bug] Cannot authenticate with user apikey #415

pyranja opened this issue Sep 4, 2023 · 4 comments
Labels
bug Something isn't working

Comments

@pyranja
Copy link

pyranja commented Sep 4, 2023

Describe the bug

I'm trying to use the elasticstack_fleet_enrollment_tokens data source, when using an api key for authentication.
Performing a terraform plan fails with a 401 Unauthorized status.

{"statusCode":401,"error":"Unauthorized","message":"[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate with provided credentials and anonymous access is not allowed for this request]: unable to authenticate with provided credentials and anonymous access is not allowed for this request"}

To Reproduce
Steps to reproduce the behavior:

provider "elasticstack" {
  fleet { # TODO inject
    endpoint = "https://replace-me.kb.eu-west-1.aws.found.io:443"
    api_key  = "REPLACE_ME_APIKEY"
  }
}

data "elasticstack_fleet_enrollment_tokens" "current" {
  policy_id = null # fetch all tokenss
}

Expected behavior
Can use an apikey to authenticate with fleet.

Debug output
Run terraform command with TF_LOG=trace and provide extended information on TF operations.

Additional context
I verified that the apikey works when contacting the api directly.
After checking the provider implementation, I suspect that the provider sends authorization headers with the Bearer prefix. Apikeys are expected to use the Apikey prefix though - https://www.elastic.co/guide/en/cloud/current/ec-api-authentication.html
@pyranja pyranja added the bug Something isn't working label Sep 4, 2023
@pyranja
Copy link
Author

pyranja commented Sep 23, 2023

I think that's a duplicate of #364 actually.

@pyranja pyranja closed this as not planned Won't fix, can't repro, duplicate, stale Sep 23, 2023
@xeivieni
Copy link
Contributor

@pyranja I think you close the issue too soon. I am facing the same issue and you were right on you supposition : here in the fleet client code we can see that the Authorization header is prefixed by the Bearer keyword instead of ApiKey https://github.com./elastic/terraform-provider-elasticstack/blob/main/internal/clients/fleet/client.go#L102

@xeivieni xeivieni mentioned this issue Feb 28, 2024
Merged
@tobio
Copy link
Member

tobio commented Feb 29, 2024

FWIW the correct link for the Kibana API is here. It's lacking some detail on how to use API key auth though. The conclusion is however still correct, i.e we need to use the ApiKey prefix, rather than Bearer.

The docs linked to in the original issue are for the ESS (Cloud) API which currently uses a different API key to Kibana/Elasticsearch.

@tobio tobio reopened this Feb 29, 2024
@daemitus
Copy link
Contributor

solved by #576

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tobio @daemitus @pyranja @xeivieni