CLI-1148: Can not login after Cloud Platform with enabled Federated Login

korkhau commented 1 year ago

Describe the bug With mandatory parameter (https://docs.acquia.com/acquia-cli/known-issues/#id1) acli login does not work To Reproduce Steps to reproduce the behavior:

Add AH_ORGANIZATION_UUID to env
Run acli auth:login
Try to retrieve some from API env specific like backups list acli api:environments:database-backup-list {uuid} {db} --limit 1 --sort desc -vvv

Observe the error:

{
"error": "additional_authentication_required",
"message": "This resource requires additional authentication."
}

Expected behaviour Acquia CLI returns some backups

Additional context Reproducible for 2.14 and 2.15 versions. The proposed approach from https://github.com/acquia/cli/issues/1582 to clear old creds before login with rm -rf ~/.acquia-php-sdk-v2 || exit did not work neither the calling it after login.

anavarre commented 1 year ago

Thanks for filing this issue. Could you please try to run this script locally (not in Cloud IDE or a container) and share the results here?

#!/usr/bin/env bash

notes() {
  echo "Notes:"
  echo ""
  echo "- This is a dummy script to try and help with Acquia CLI / Fed Auth issues."
  echo "- AH_ORGANIZATION_UUID can be found at: https://cloud.acquia.com/a/organizations/<GET_UUID_HERE>"
  echo "- Log in to accounts.acquia.com first."
  echo "- If the script runs without errors, try to re-authenticate with acli auth:login if you still have troubles."
  echo "- Delete ~/.acquia-php-sdk-v2 to wipe the access token cache."
  echo "- For test purposes, run Acquia CLI locally, not in Cloud IDE or in a container."
  echo ""
}

check_requirements() {
  MINOR=$(acli --version | cut -c 14-15)

  echo "Results:"
  echo ""
  [[ $(command -v acli) ]] && echo "- OK: Found Acquia CLI." || { echo "ERROR: Acquia CLI was not found."; exit 0; }
  [[ ${MINOR} -ge 14 ]] && echo "- OK: Mininum version detected." || { echo "- ERROR: Acquia CLI version should at least be 2.14.0"; exit 0; }
  [[ -d "${HOME}/.acquia-php-sdk-v2" ]] || echo "- OK: Access token cache was not found."
  [[ -z "${AH_ORGANIZATION_UUID}" ]] && { echo "- ERROR: AH_ORGANIZATION_UUID is not set!"; exit 0; } || echo "- OK: Local AH_ORGANIZATION_UUID is set to ${AH_ORGANIZATION_UUID}."
}

validate_organization_uuid() {
  VALIDATE_UUID=$(acli api:organizations:list | grep "${AH_ORGANIZATION_UUID}" | awk '{ print $2 }' | tr -d '",' | head -n1)
  [[ "${AH_ORGANIZATION_UUID}" != "${VALIDATE_UUID}" ]] && { echo "- ERROR: Cloud's AH_ORGANIZATION_UUID does not match your local!"; exit 0; } || echo "- OK: Cloud's AH_ORGANIZATION_UUID matches your local."
}

notes
check_requirements
validate_organization_uuid

anavarre commented 12 months ago

There is now an improved known issue https://docs.acquia.com/acquia-cli/known-issues/#id1

I have published an improved version of the above troubleshooting script in case it can help with fixing the issue: https://gist.github.com/anavarre/fd690265f90cfa8784a4c5e5147be337

anavarre commented 12 months ago

We had multiple reports of success following the above docs page so I think you should be good here. 100% of the time when there was still an issue, it was because the AH_ORGANIZATION_UUID was not correctly set, so I think we should be good here.

acquia / cli

CLI-1148: Can not login after Cloud Platform with enabled Federated Login #1593