nsc import user does not expect a decorated jwt

Question

nsc import user does not expect a decorated jwt

Closed this issue a year ago · 5 comments

When importing a system account using the procedure described here the final step fails.

root@clientk1:~# nsc import user --file system_user.jwt
[ERR ] failed to decode `system_user.jwt`: illegal base64 data at input byte 10

I was able to import the user by editing the jwt to remove the decoration line at the top and the corresponding line at the bottom of the file. That is, remove the "-----BEGIN NATS ACCOUNT JWT-----".

nsc describe user -a SYS -n sys-non-op --raw --output-file system_user.jwt

root@clientk1:~# nsc import user --file system_user.jwt
[ OK ] user sys-non-op was successfully imported

Note that nsc add operator and nsc import account expect decorated JWTs.

Similar issues reported in #381 #499. Apologies if this is fixed already.

nsc was installed using:

go install github.com/nats-io/nsc@latest

Answer 1 · 2023-03-22T19:34:00.000Z

Can you make sure you are running v2.8.0? - the script below works for me...

> set -x XDG_DATA_HOME /tmp/nsc
> set -x XDG_CONFIG_HOME /tmp/nsc
> nsc add operator O 
> nsc add account A
> nsc add user U
> nsc generate creds -a A -n U -o /tmp/u.creds
> nsc delete user -n U
> nsc import user --file /tmp/u.creds

Answer 2 · 2023-03-22T19:36:28.000Z

And yes the generated creds file has the armor:

-----BEGIN NATS USER JWT-----
eyJ0eXAiOiJKV1QiLCJhbGciOiJlZDI1NTE5LW5rZXkifQ.eyJqdGkiOiJMWkNUQzNKVTVaNURLSFVLSVY3T1FUNjZBMzZUMzZTU043UEZYNDNRQldPUTdSWFkzM09BIiwiaWF0IjoxNjc5NTEzNDMxLCJpc3MiOiJBRDRHTkRXTEtZRFkyUzNRRkVLVEpPS0ZUSldIM0dQR0gyNFZVR0Y2NFJCMjdCVU9CR01aQkg3RSIsIm5hbWUiOiJVIiwic3ViIjoiVUJGTE8ySEQ3M1I2VVBIWkNYRzJTM0hOM0NMSFlCTTVGWUVEUTZPVzdIVEdYQVpYVlozTFJDVk4iLCJuYXRzIjp7InB1YiI6e30sInN1YiI6e30sInN1YnMiOi0xLCJkYXRhIjotMSwicGF5bG9hZCI6LTEsInR5cGUiOiJ1c2VyIiwidmVyc2lvbiI6Mn19.Hd_qf-7n7iCPIZMEAUPheTbdH0edsdw0XTu9eFCl9R5Rq8PGZNZ0SZ0_gpYPdruTWocx7dYByk0yQf0T9-10CQ
------END NATS USER JWT------

************************* IMPORTANT *************************
NKEY Seed printed below can be used to sign and prove identity.
NKEYs are sensitive and should be treated as secrets.

-----BEGIN USER NKEY SEED-----
SUAJAAUXHZNTNE64M2PNT2HDW5U2453ZZOY2Z6T5KXT5777TLVXMMKPZXQ
------END USER NKEY SEED------

*************************************************************

Answer 3 · 2023-03-22T21:51:20.000Z

This ticket relates to importing a jwt created by nsc describe user.

root@jclient1:~# nsc --version
nsc version 2.8.0
root@jclient1:~# nsc import user --file system_user.jwt --overwrite
[ERR ] failed to decode `system_user.jwt`: illegal base64 data at input byte 10
Error: all jobs failed

Answer 4 · 2023-03-23T16:23:14.000Z

@kimjarvis thanks for finding this.

Answer 5 · 2023-03-23T17:29:40.000Z

Verified on branch.

root@jclient1:~# go install github.com/nats-io/nsc/v2@fix-571
go: downloading github.com/nats-io/nsc/v2 v2.8.1-0.20230323162836-61b883b4ffef
root@jclient1:~# nsc import user --file system_user.jwt --overwrite
[WARN] failed to parse decorated key in `system_user.jwt`: no nkey seed found
[ OK ] user sys-non-op2 was successfully imported
1 job succeeded - 1 have warnings