`nsc add export` should not attempt to validate the account signing keys in the local keystore
kimjarvis opened this issue · 1 comments
nsc add export
attempts to validate the account and operator nkeys in the local keystore, but in the self service deployment model the local keystore does not contain the private key of the account or the operator.
In this example we add a public stream on the client as described here Adding a Public Stream Export. Similar errors occur when adding a private stream and when exporting both public and private services from the account.
root@instance:/# nsc add export --name abc --subject "a.b.c.>" --account CA \
--config-dir $HOME/client_config \
--data-dir $HOME/client_data \
--keystore-dir $HOME/client_keys
Error: unable to resolve any of the following signing keys in the keystore: OA4CV76DVMXIQWDEQHH4XKENDORZOXPV5ZJ6N4G7XFBBSE7AXYMBKGEX, ACM2NOGGLE7ZXYISWJFOTE3OOWBQYYMQD3V6ZSDLH6XV7UYHXPHT2DWU
In the self service model, the administrator creates an account for the client to import. The client first import the operator JWT, then the account JWT. In the self service model, the account nkeys are not available in the client's local keystore. The operator and account nkeys are private to to the administrator. The nsc add export
command should not attempt to validate the account nkey in the local keystore because they may not be present.
This ticket is similar to #577.
See #577 - the issue here is your operator at the account level should have been imported to mark it as a managed operator
- when the operator is not managed, the requirement is that issuer keys at the appropriate level are available. Account CRUD require Operator Keys, User CRUD require account keys.
See #577 for more information.