Running the action fails with 'wanted HTTP status code 200 but got 403'
srijanshetty opened this issue · 7 comments
I'm trying to setup the action to deploy to TailScale but the action always errors out.
You see this error message in the output of the Action run in GitHub, or in journalctl, or somewhere else?
The GitHub Action makes https connections to the Tailscale coordination server. Getting a 403 from the coordination server seems unlikely, I'm going to guess that the 403 is from an HTTPS connection that later code in your run is trying to make to a destination using Tailscale to connect to it.
403 from that HTTP server means it was able to connect, but the remote server rejected it. This likely means Tailscale isn't directly involved: it connected to the HTTP server. The HTTP server might be configured to accept connections only from particular IP ranges like 172.16.0.0/16, which will reject a Tailscale IP from 100.64.0.0/10.
Thanks for the reply @DentonGentry.
Here's the log:
Run tailscale/gitops-acl-action@v1
/usr/bin/docker run --name <xxxxx> --label <xxxxx> --workdir /github/workspace --rm -e "INPUT_API-KEY" -e "INPUT_TAILNET" -e "INPUT_ACTION" -e "INPUT_POLICY-FILE" -e "TS_API_KEY" -e "TS_TAILNET" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" -e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" -e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" -e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" -e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" -e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" -e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" -e "RUNNER_NAME" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" -e "ACTIONS_CACHE_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/tailscale-acl/tailscale-acl":"/github/workspace" <xxxxx> "--policy-file=./policy.hujson" "test"
wanted HTTP status code 200 but got 403
TS_API_KEY
By default, API keys expire after 90 days. If the API key is likely older than that, a new one can be allocated at https://login.tailscale.com/admin/settings/keys and the GitHub secret updated.
@DentonGentry I issued a new API key just yesterday. Whatever I do, I end up with wanted HTTP status code 200 but got 403
Nonetheless that the TS_API_KEY is expired, invalid, or does not correspond to the tailnet defined in the tailnet input parameter is the main possibility that I can see. You could test the key matched with the tailnet name using https://github.com/tailscale/tailscale/blob/main/api.md
To look into it further we'd need to know the name of the tailnet.
If you'd prefer not to put the tailnet name in a public bug, you can submit it to https://tailscale.com/contact/support/ and reference this bug.
Thanks @DentonGentry will follow the steps you mentioned!
You were right on the money @DentonGentry.
The confusion stemmed from using the Tailnet Name in the DNS tab instead of the Organization Name from the Settings Tab.
