Generated tokens for users aren't registered for said user

[joshua9519]

Checklist:

• [x] I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
• [x] I've included steps to reproduce the bug.
• [x] I've pasted the output of argocd version.

Describe the bug

When I create a user - be it an apiToken or both login and apiToken user - and then attempt to generate a token for it via the UI or the CLI or API, a token is returned but it is not registered in the user's list of tokens and so can't be used. If I do attempt to use it, I see:

FATA[0001] rpc error: code = Unauthenticated desc = invalid session: account githubci does not have token with id <uuid>

To Reproduce

1. Deploy argocd at the latest release.
2. Add a user via the argocd-cm: accounts.githubci: apiKey,login
3. Go to the UI and log in with the admin user.
4. Go to Settings -> Accounts and check the user has been created.

Via UI:

5. Go to the new account and click generate token.

Alternatively, via the API:

5. Get an API token for the admin user:

   export ARGOCD_TOKEN=$(curl $ARGOCD_SERVER/api/v1/session -d $'{"username":"admin","password":"password"}' | jq -r .token)

6. Generate a token for the user:

   export CI_TOKEN=$(curl $ARGOCD_SERVER/api/v1/account/githubci/token -X POST  -H "Authorization: Bearer $ARGOCD_TOKEN")

7. Try to use the token outputted:

   curl $ARGOCD_SERVER/api/v1/applications -H "Authorization: Bearer $CI_TOKEN"

Expected behavior

Expect that the generated token should be added to the account's list of tokens and thus can be used to run commands as that user.

Version

argocd: v2.6.2+6e02f8b
  BuildDate: 2023-02-16T15:05:14Z
  GitCommit: 6e02f8b23201b0620a4ff1bce5d38229ba1eb02e
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
argocd-server: v2.6.2+6e02f8b
  BuildDate: 2023-02-16T15:05:14Z
  GitCommit: 6e02f8b23201b0620a4ff1bce5d38229ba1eb02e
  GitTreeState: clean
  GoVersion: go1.18.10
  Compiler: gc
  Platform: linux/amd64
  Kustomize Version: v4.5.7 2022-08-02T16:35:54Z
  Helm Version: v3.10.3+g835b733
  Kubectl Version: v0.24.2
  Jsonnet Version: v0.19.1

Logs

time="2023-02-21T15:15:51Z" level=info msg="received unary call /account.AccountService/CreateToken" grpc.method=CreateToken grpc.request.content="name:\"githubci\" " grpc.service=account.AccountService grpc.start_time="2023-02-21T15:15:51Z" span.kind=server system=grpc
time="2023-02-21T15:15:51Z" level=info msg="Starting configmap/secret informers"
time="2023-02-21T15:15:51Z" level=info msg="configmap informer cancelled"
time="2023-02-21T15:15:51Z" level=info msg="Configmap/secret informer synced"
time="2023-02-21T15:15:51Z" level=info msg="finished unary call with code OK" grpc.code=OK grpc.method=CreateToken grpc.service=account.AccountService grpc.start_time="2023-02-21T15:15:51Z" grpc.time_ms=127.741 span.kind=server system=grpc
time="2023-02-21T15:15:51Z" level=info msg="secrets informer cancelled"
time="2023-02-21T15:15:51Z" level=info msg="Notifying 1 settings subscribers: [0xc000dfa960]"
time="2023-02-21T15:15:51Z" level=info msg="Notifying 1 settings subscribers: [0xc000dfa960]"
time="2023-02-21T15:16:21Z" level=info msg="finished unary call with code Unauthenticated" error="rpc error: code = Unauthenticated desc = invalid session: account githubci does not have token with id e13dc121-14d8-445f-b384-bc249f9c88cc" grpc.code=Unauthenticated grpc.method=List grpc.service=application.ApplicationService grpc.start_time="2023-02-21T15:16:21Z" grpc.time_ms=17.695 span.kind=server system=grpc

[jutley]

I may be running into this as well. Are you using anything to control your argocd-secret Secret, such as an ExternalSecret? It looks like this secret gets updated with the new token data, but this quickly gets removed from the ExternalSecret syncing.

[john-jam]

I also experienced generated tokens being deleted randomly.

Turns out it was because I re-applied my terraform configuration so the accounts.<myuser>.tokens entry in the argocd-secret Secret was removed.

A workaround is to ignore the argocd-secret changes or to add the accounts.<myuser>.tokens in the terraform configuration.

[crenshaw-dev]

I think this is a reason we should do this: https://github.com/argoproj/argo-cd/issues/10393

[patpicos]

I also experienced generated tokens being deleted randomly.

Turns out it was because I re-applied my terraform configuration so the accounts.<myuser>.tokens entry in the argocd-secret Secret was removed.

A workaround is to ignore the argocd-secret changes or to add the accounts.<myuser>.tokens in the terraform configuration.

is accounts.<myuser>.tokens documented anywhere?

[crenshaw-dev]

@patpicos nowhere besides a small mention here: https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-secret-yaml/

[yair-segal]

@john-jam - can you please elaborate on the workaround:

A workaround is ... to add the accounts.\<myuser>.tokens in the terraform configuration.

How is the token (not secret) being created/managed? When I create an API token and inspect argocd-secret, I see it has the following structure:

$ kubectl get secret argocd-secret -o yaml
...
data:
    accounts.myuser.tokens: <base64>

and when I decode it I get something like this:

[{"id":"<UUID which is not the token>","iat":1724123456}]

[john-jam]

@yair-segal My use case was probably different than yours but here is a more detailed description if that can help:

• I had a k8s secret to store information like oidc.* config or the server.secretKey value
• this secret was defined and applied with terraform (this is bad, I know)
• whenever I generated a user's token with the argocd cli (connected to the API), an entry accounts.myuser.tokens was added to that secret (I guess the argocd service does that automatically within the cluster)
• if I re-applied my terraform code, I lost my user token (because my terraform code did not contain the automatically generate accounts.myuser.tokens entry definition)

So the workaround was to ignore the accounts.myuser.tokens with the lifecycle.ignore_change option in the k8s secret terraform resource definition.

[yair-segal]

Hi @john-jam thanks for the added details. Our use case is similar -- we are using the terraform resource "helm_release" to manage the ArgoCD helm chart lifecycle (including the argocd-secret Secret object), and pass the values to the values field.

But yes, when changing a value in the Values to the helm chart, the argocd-secret Secret wipes out the tokens.

Two thoughts:

1. Is this an "ArgoCD" issue? or a Terraform/Helm chart issue?
2. Why/how come Argo doesn't show the argocd-secret as out-of-sync when the tokens entries are added?

[john-jam]

Hi @yair-segal,

I'm not the right person to answer about how ArgoCD internally works. You might want to ask a maintainer instead. Hope you'll find your answers and a workaround for your use case!