Failed to get a RPST token from Proxymux
sherwoodzern opened this issue · 4 comments
Attempting to use the SDK sample code but it fails because it is unable to retrieve the RPST token.
/**
- Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
- This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license.
*/
/**
- This is an example that shows how to use oke workload identity auth provider
*/
var identity = require("oci-identity");
var common = require("oci-common");
(async () => {
const authProvider = await common.OkeWorkloadIdentityAuthenticationDetailsProvider.builder();
const compartmentId = await authProvider.getStringClaim("res_tenant");
const identityClient = new identity.IdentityClient({
authenticationDetailsProvider: authProvider
});
identityClient.close();
})();
/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169
throw Error(Failed to call Proxymux, error: ${e}. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR});
^
Error: Failed to call Proxymux, error: TypeError: fetch failed. Failed to get a RPST token from Proxymux. See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm for more info.
at X509FederationClientForOkeWorkloadIdentity. (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169:23)
at Generator.throw ()
at rejected (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:10:65)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Node.js v20.15.0
I executed additional tests and with some logging information. I still get the same error, but I have a bit more information.
{"name":"workloadIdentity","hostname":"workloadauth-54d8796969-dz785","pid":1,"level":20,"msg":"The OciEnabledServiceSet is empty, all OCI services are enabled","time":"2024-07-05T21:46:46.590Z","v":0}
{"name":"workloadIdentity","hostname":"workloadauth-54d8796969-dz785","pid":1,"level":20,"msg":"Calling operation IdentityClient#listRegions.","time":"2024-07-05T21:46:46.591Z","v":0}
{"name":"workloadIdentity","hostname":"workloadauth-54d8796969-dz785","pid":1,"level":20,"msg":"Retry policy to use: MaximumNumberAttempts=7, MaxSleepBetween=30, ExponentialBackoffBase=2","time":"2024-07-05T21:46:46.593Z","v":0}
Request failed with Exception : [object Object]
Retrying request -> Total Attempts : 1, Retrying after 1.913 seconds...
/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169
throw Error(Failed to call Proxymux, error: ${e}. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR});
^
Error: Failed to call Proxymux, error: TypeError: fetch failed. Failed to get a RPST token from Proxymux. See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm for more info.
at X509FederationClientForOkeWorkloadIdentity. (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169:23)
at Generator.throw ()
at rejected (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:10:65)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Node.js v20.12.2
the proxymux endpoint is: federationClient: X509FederationClientForOkeWorkloadIdentity {
proxymuxEndpoint: 'https://10.96.0.1:12250/resourcePrincipalSessionTokens',
@sherwoodzern Did you fixed this issue? I'm getting the same error.
I did fix the issue. 2 items to correct the issue.
- You must be using a version of nodejs less than 20.
- add NODE_OPTIONS='--no-experimental-fetch'
Above these 2 items also add a line of code if you don't have it: identityClient.region = common.Region.fromRegionId(''); where is something like 'us-ashburn-1'.
The client could be database.client, etc.
If you are attempting to run the example as provided it will not work. As an example I had to modify the creation of the authentication provider to the following:
const authProvider = await new common.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder().build();
I hope this helps.
@sherwoodzern Thank you so much!!!!! You saved my life! You're so kind!