search

CrowdStrike / ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
https://galaxy.ansible.com/ui/repo/published/crowdstrike/falcon/
GNU General Public License v3.0
96 stars 59 forks source link

Authenticate to Crowdstrike API || 400 - Bad Request #173

Closed Rpedvin closed 2 years ago

Rpedvin commented 2 years ago

Currently attempting to install falcon to a new host, but keep running into a 400 error. Thought it was because we were initially using the wrong API link, but it still is throwing the same error. The creds we're using should be more or less fine, we've used them before, but I could use a few pointers to potentially resolve this issue. Having a hard time figuring out where else to dig to resolve it.

Ran with logging enabled and 2x verbosity. We have an encrypted variables file for CID token and others being pulled in via 'vars_files' module, just before invoking the collection role call on the top level playbook.

TASK [crowdstrike.falcon.falcon_install : CrowdStrike Falcon | Authenticate to CrowdStrike API] **************************************************************************************************************************************************************
task path: ~/ansible_collections/crowdstrike/falcon/roles/falcon_install/tasks/api.yml:2
fatal: [host]: FAILED! => {"changed": false, "connection": "close", "content": "{\n \"meta\": {\n  \"query_time\": 0.001812609,\n  \"powered_by\": \"csam\",\n  \"trace_id\": \"--\"\n },\n \"errors\": [\n  {\n   \"code\": 400,\n   \"message\": \"Failed to generate access token for clientID=cid.\"\n  }\n ]\n}\n", "content_length": "260", "content_type": "application/json", "date": "Fri, 15 Apr 2022 22:32:29 GMT", "elapsed": 0, "json": {"errors": [{"code": 400, "message": "Failed to generate access token for clientID=cid."}], "meta": {"powered_by": "csam", "query_time": 0.001812609, "trace_id": "--"}}, "msg": "Status code was 400 and not [201]: HTTP Error 400: Bad Request", "redirected": false, "server": "nginx", "status": 400, "strict_transport_security": "max-age=31536000; includeSubDomains", "url": "https://api.laggar.gcw.crowdstrike.com/oauth2/token", "x_cs_traceid": "--", "x_ratelimit_limit": "300", "x_ratelimit_remaining": "299"}

Any suggestions for further digging, things to try, further enabling verbose logging, etc?

kbendl commented 2 years ago

Additional info:

{
    "changed": false,
    "connection": "close",
    "content": "{\n \"meta\": {\n  \"query_time\": 0.001923652,\n  \"powered_by\": \"csam\",\n  \"trace_id\": \"4caf0401-c3f5-491d-a21f-5480f8e6b5d6\"\n },\n \"errors\": [\n  {\n   \"code\": 400,\n   \"message\": \"Failed to generate access token for clientID=THE_CORRECT_CLIENT_ID.\"\n  }\n ]\n}\n",
    "content_length": "260",
    "content_type": "application/json",
    "date": "Wed, 20 Apr 2022 15:13:05 GMT",
    "elapsed": 0,
    "invocation": {
        "module_args": {
            "attributes": null,
            "body": "client_id=THE_CORRECT_CLIENT_ID&client_secret=THE_CORRECT_SECRET",
            "body_format": "json",
            "ca_path": null,
            "client_cert": null,
            "client_key": null,
            "creates": null,
            "dest": null,
            "follow_redirects": "all",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {
                "content-type": "application/x-www-form-urlencoded"
            },
            "http_agent": "ansible-httpget",
            "method": "POST",
            "mode": null,
            "owner": null,
            "remote_src": false,
            "removes": null,
            "return_content": true,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                201
            ],
            "timeout": 30,
            "unix_socket": null,
            "unsafe_writes": false,
            "url": "https://api.laggar.gcw.crowdstrike.com/oauth2/token",
            "url_password": null,
            "url_username": null,
            "use_gssapi": false,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "json": {
        "errors": [
            {
                "code": 400,
                "message": "Failed to generate access token for clientID=XXXXXXXXXXXX."
            }
        ],
        "meta": {
            "powered_by": "csam",
            "query_time": 0.001923652,
            "trace_id": "4caf0401-c3f5-491d-a21f-5480f8e6b5d6"
        }
    },
    "msg": "Status code was 400 and not [201]: HTTP Error 400: Bad Request",
    "redirected": false,
    "server": "nginx",
    "status": 400,
    "strict_transport_security": "max-age=31536000; includeSubDomains",
    "url": "https://api.laggar.gcw.crowdstrike.com/oauth2/token",
    "x_cs_traceid": "4caf0401-c3f5-491d-a21f-5480f8e6b5d6",
    "x_ratelimit_limit": "300",
    "x_ratelimit_remaining": "299"
}
redhatrises commented 2 years ago

Are the appropriate API permissions (https://github.com/CrowdStrike/ansible_collection_falcon/tree/main/roles/falcon_install#falcon-api-permissions) configured for the oauth2 token and is the oauth2 token created in laggar.gcw.crowdstrike.com?

redhatrises commented 2 years ago

@kbendl can you provide feedback if the above suggestion fixed your issue?

carlosmmatos commented 2 years ago

Hi @kbendl and @Rpedvin - any updates on this?

redhatrises commented 2 years ago

Closing this are there is no further movement. Please reopen if you need further assistance.