Dify Premium on AWS - Unable to invite additional users

[yhamade-vendr]

Self Checks

• [X] This is only for bug report, if you would like to ask a question, please head to Discussions.
• [X] I have searched for existing issues search for existing issues, including closed ones.
• [X] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
• [X] [FOR CHINESE USERS] 请务必使用英文提交 Issue，否则会被关闭。谢谢！:）
• [X] Please do not modify this template :) and fill in all the required fields.

Dify version

0.7.3

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

After setting up a new version of the Dify Premium on AWS. I am unable to invite additional users. When sending the invite, I recieve an error: Below users were not invited successfully, highlighting over the (?) indicates Authentication required.

• Went through the initial install (/install) to create the first user.
• Upgraded the docker image to the latest version following these instructions: https://docs.dify.ai/getting-started/dify-premium-on-aws
• Updated the .env file as indicated here: https://docs.dify.ai/getting-started/install-self-hosted/environments#mail-related-configuration
  • MAIL_TYPE=resend
  • MAIL_DEFAULT_SEND_FROM=my-sending-email@subdomain.mydomain.com
  • RESEND_API_KEY=re_XxxxxxxXXxxREDACTEDXxxxxxxXXxx
• Restarted the containers using these commands:

  docker-compose down
  docker-compose -f docker-compose.yaml -f docker-compose.override.yaml up -d

• Verified that I'm able to send emails to through the EC2 image using the same values.

  curl -X POST 'https://api.resend.com/emails' \
  -H 'Authorization: Bearer <my-api-key>' \
  -H 'Content-Type: application/json' \
  -d $'{
  "from": "<my-sending-email@subdomain.mydomain.com>",
  "to": ["<my-email@mydomain.com>"],
  "subject": "hello world",
  "html": "<p>it works!</p>"
  }' 

Note: I do not see an option for Dify Premium on AWS for Cloud or Self Hosted so I'm selecting Self Hosted (Docker) instead.

✔️ Expected Behavior

User to be added and email to be sent with invite.

❌ Actual Behavior

"Below users were not invited successfully", highlighting over the (?) indicates "Authentication required."

[dosubot[bot]]

@yhamade-vendr Hello there! I'm here to help you with any bugs, questions, or contributions you have. Let's get this sorted out! 🤖

The error message "Authentication required" when inviting additional users in Dify Premium on AWS suggests that there might be an issue with the email service configuration in your .env file. Here are a few steps to troubleshoot and resolve this issue:

1. Verify .env Configuration: Ensure that your .env file has the correct configurations for the Resend email provider. It should look something like this:

   MAIL_TYPE=resend
   MAIL_DEFAULT_SEND_FROM=my-sending-email@subdomain.mydomain.com
   RESEND_API_KEY=re_XxxxxxxXXxxREDACTEDXxxxxxxXXxx

2. Check API Key and Email Configuration: Double-check that the RESEND_API_KEY and MAIL_DEFAULT_SEND_FROM values are correct and match the ones you used in your curl command, which successfully sent an email.

3. Restart Docker Containers: After making any changes to the .env file, ensure you restart your Docker containers to apply the new configurations:

   docker-compose down
   docker-compose -f docker-compose.yaml -f docker-compose.override.yaml up -d

4. Check for Errors in Logs: Inspect the logs for any errors related to email sending. You can view the logs using:

   docker-compose logs

5. Verify Email Sending Capability: Since you have already verified that you can send emails using the curl command, ensure that the same API key and email address are being used by Dify.

6. Review Dify Codebase for Email Sending: The email sending functionality in Dify is configured in the docker-compose.yaml file. Ensure that the configurations are correctly set there as well:

   # Mail configuration, support: resend, smtp
   MAIL_TYPE: 'resend'
   MAIL_DEFAULT_SEND_FROM: 'my-sending-email@subdomain.mydomain.com'
   RESEND_API_KEY: 're_XxxxxxxXXxxREDACTEDXxxxxxxXXxx'
   RESEND_API_URL: 'https://api.resend.com'

If the issue persists, it might be helpful to look into the specific error codes and messages related to email invitation failures documented in the Dify codebase. For example, the invalid-role error or general exceptions that might be causing the failure ^[1].

By following these steps, you should be able to identify and resolve the issue preventing you from inviting additional users.

To continue talking to Dosu, mention @dosu.

[crazywoola]

Can you inspect the api and worker to see those variables.

# Mail configuration, support: resend, smtp
MAIL_TYPE: 'resend'
MAIL_DEFAULT_SEND_FROM: 'my-sending-email@subdomain.mydomain.com'
RESEND_API_KEY: 're_XxxxxxxXXxxREDACTEDXxxxxxxXXxx'
RESEND_API_URL: 'https://api.resend.com'

I think MAIL_TYPE isn't right according to this error.

[yhamade-vendr]

@crazywoola my env looks right using this command: docker inspect --format='{{range .Config.Env}}{{println .}}{{end}}' <container_id>

here's that I get on both dify_worker_1 and dify_api_1:

MAIL_TYPE=resend
MAIL_DEFAULT_SEND_FROM=<no-reply@subdomain.domain.com>
SMTP_SERVER=
SMTP_PORT=465
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_USE_TLS=true
SMTP_OPPORTUNISTIC_TLS=false
RESEND_API_KEY=re_Xredacted
RESEND_API_URL=https://api.resend.com

I set the LOG_LEVEL=DEBUG and DEBUG=true, here's what I'm getting from the logs:

ginx_1                  | 10.0.0.186 - - [10/Sep/2024:00:45:48 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
api_1                    | 2024-09-10 00:45:48,752.752 INFO [Thread-21 (process_request_thread)] [_internal.py:97] - 2.2.2.2 - - [10/Sep/2024 00:45:48] "POST /console/api/workspaces/current/members/invite-email HTTP/1.1" 201 -
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:00:45:48 +0000] "POST /console/api/workspaces/current/members/invite-email HTTP/1.1" 201 213 "https://redacted.redacted.com/apps?category=all" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "1.1.1.1"
api_1                    | 2024-09-10 00:45:48,811.811 INFO [Thread-22 (process_request_thread)] [_internal.py:97] - 2.2.2.2 - - [10/Sep/2024 00:45:48] "GET /console/api/workspaces/current/members HTTP/1.1" 200 -
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:00:45:48 +0000] "GET /console/api/workspaces/current/members HTTP/1.1" 200 786 "https://redacted.redacted.com/apps?category=all" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "1.1.1.1"
web_1                    | 00:45:48 0|dify-web  | Invalid languages: *
web_1                    | 00:45:48 0|dify-web  | Invalid languages: *
web_1                    | 00:45:48 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:00:45:48 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
worker_1                 | [2024-09-10 00:45:52,557: ERROR/MainProcess] consumer: Cannot connect to redis://redis:6379/1: Authentication required..
worker_1                 | Trying again in 32.00 seconds... (16/100)
worker_1                 | 
web_1                    | 00:45:54 1|dify-web  | Invalid languages: *
web_1                    | 00:45:54 1|dify-web  | Invalid languages: *
web_1                    | 00:45:54 1|dify-web  | Invalid languages: *

Note: I've tried this as MAIL_DEFAULT_SEND_FROM=<no-reply@subdomain.domain.com> and MAIL_DEFAULT_SEND_FROM=no-reply@subdomain.domain.com.

[crazywoola]

So the error message is Authentication required. only?

I check their codes, https://resend.com/docs/api-reference/introduction#response-codes it seems this is not returned by Resend.

docker-compose up --force-recreate -d

I think you could try this command.

[yhamade-vendr]

@crazywoola same problem. Also, this was deployed from the Marketplace Image version 0.6.13 (Jul 10, 2024).

api_1                    | 2024-09-10 02:12:35,041.041 INFO [Thread-20 (process_request_thread)] [_internal.py:97] - 2.2.2.2 - - [10/Sep/2024 02:12:35] "POST /console/api/workspaces/current/members/invite-email HTTP/1.1" 201 -
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:35 +0000] "POST /console/api/workspaces/current/members/invite-email HTTP/1.1" 201 213 "https://redacted.redacted.com/apps" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "1.1.1.1"
api_1                    | 2024-09-10 02:12:35,296.296 INFO [Thread-22 (process_request_thread)] [_internal.py:97] - 2.2.2.2 - - [10/Sep/2024 02:12:35] "GET /console/api/workspaces/current/members HTTP/1.1" 200 -
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:35 +0000] "GET /console/api/workspaces/current/members HTTP/1.1" 200 786 "https://redacted.redacted.com/apps" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "1.1.1.1"
web_1                    | 02:12:35 1|dify-web  | Invalid languages: *
web_1                    | 02:12:35 1|dify-web  | Invalid languages: *
web_1                    | 02:12:35 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:35 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:35 0|dify-web  | Invalid languages: *
web_1                    | 02:12:35 0|dify-web  | Invalid languages: *
web_1                    | 02:12:35 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:12:35 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
sandbox_1                | [GIN] 2024/09/10 - 02:12:36 | 200 |      27.733µs |       127.0.0.1 | GET      "/health"
worker_1                 | [2024-09-10 02:12:37,338: ERROR/MainProcess] consumer: Cannot connect to redis://redis:6379/1: Authentication required..
worker_1                 | Trying again in 18.00 seconds... (9/100)
worker_1                 | 
api_1                    | 2024-09-10 02:12:37,605.605 INFO [Thread-21 (process_request_thread)] [_internal.py:97] - 2.2.2.2 - - [10/Sep/2024 02:12:37] "POST /console/api/workspaces/current/members/invite-email HTTP/1.1" 201 -
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:37 +0000] "POST /console/api/workspaces/current/members/invite-email HTTP/1.1" 201 213 "https://redacted.redacted.com/apps" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "1.1.1.1"
api_1                    | 2024-09-10 02:12:37,666.666 INFO [Thread-23 (process_request_thread)] [_internal.py:97] - 2.2.2.2 - - [10/Sep/2024 02:12:37] "GET /console/api/workspaces/current/members HTTP/1.1" 200 -
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:37 +0000] "GET /console/api/workspaces/current/members HTTP/1.1" 200 786 "https://redacted.redacted.com/apps" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36" "1.1.1.1"
web_1                    | 02:12:41 1|dify-web  | Invalid languages: *
web_1                    | 02:12:41 1|dify-web  | Invalid languages: *
web_1                    | 02:12:41 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:41 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:41 0|dify-web  | Invalid languages: *
web_1                    | 02:12:41 0|dify-web  | Invalid languages: *
web_1                    | 02:12:41 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:12:41 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:47 1|dify-web  | Invalid languages: *
web_1                    | 02:12:47 1|dify-web  | Invalid languages: *
web_1                    | 02:12:47 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:47 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:47 0|dify-web  | Invalid languages: *
web_1                    | 02:12:47 0|dify-web  | Invalid languages: *
web_1                    | 02:12:47 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:12:47 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:53 1|dify-web  | Invalid languages: *
web_1                    | 02:12:53 1|dify-web  | Invalid languages: *
web_1                    | 02:12:53 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:53 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:53 0|dify-web  | Invalid languages: *
web_1                    | 02:12:53 0|dify-web  | Invalid languages: *
web_1                    | 02:12:53 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:12:53 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
worker_1                 | [2024-09-10 02:12:55,356: ERROR/MainProcess] consumer: Cannot connect to redis://redis:6379/1: Authentication required..
worker_1                 | Trying again in 20.00 seconds... (10/100)
worker_1                 | 
web_1                    | 02:12:59 1|dify-web  | Invalid languages: *
web_1                    | 02:12:59 1|dify-web  | Invalid languages: *
web_1                    | 02:12:59 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:12:59 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:12:59 0|dify-web  | Invalid languages: *
web_1                    | 02:12:59 0|dify-web  | Invalid languages: *
web_1                    | 02:12:59 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:12:59 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:05 1|dify-web  | Invalid languages: *
web_1                    | 02:13:05 1|dify-web  | Invalid languages: *
web_1                    | 02:13:05 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:13:05 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:05 0|dify-web  | Invalid languages: *
web_1                    | 02:13:05 0|dify-web  | Invalid languages: *
web_1                    | 02:13:05 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:13:05 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
sandbox_1                | [GIN] 2024/09/10 - 02:13:06 | 200 |      46.895µs |       127.0.0.1 | GET      "/health"
web_1                    | 02:13:11 1|dify-web  | Invalid languages: *
web_1                    | 02:13:11 1|dify-web  | Invalid languages: *
web_1                    | 02:13:11 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:13:11 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:11 0|dify-web  | Invalid languages: *
web_1                    | 02:13:11 0|dify-web  | Invalid languages: *
web_1                    | 02:13:11 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:13:11 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
worker_1                 | [2024-09-10 02:13:15,378: ERROR/MainProcess] consumer: Cannot connect to redis://redis:6379/1: Authentication required..
worker_1                 | Trying again in 22.00 seconds... (11/100)
worker_1                 | 
web_1                    | 02:13:17 1|dify-web  | Invalid languages: *
web_1                    | 02:13:17 1|dify-web  | Invalid languages: *
web_1                    | 02:13:17 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:13:17 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:17 0|dify-web  | Invalid languages: *
web_1                    | 02:13:17 0|dify-web  | Invalid languages: *
web_1                    | 02:13:17 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:13:17 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:23 1|dify-web  | Invalid languages: *
web_1                    | 02:13:23 1|dify-web  | Invalid languages: *
web_1                    | 02:13:23 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:13:23 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:23 0|dify-web  | Invalid languages: *
web_1                    | 02:13:23 0|dify-web  | Invalid languages: *
web_1                    | 02:13:23 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:13:23 +0000] "GET /apps HTTP/1.1" 200 8234 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:29 1|dify-web  | Invalid languages: *
web_1                    | 02:13:29 1|dify-web  | Invalid languages: *
web_1                    | 02:13:29 1|dify-web  | Invalid languages: *
nginx_1                  | 10.0.0.186 - - [10/Sep/2024:02:13:29 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"
web_1                    | 02:13:29 0|dify-web  | Invalid languages: *
web_1                    | 02:13:29 0|dify-web  | Invalid languages: *
web_1                    | 02:13:29 0|dify-web  | Invalid languages: *
nginx_1                  | 10.0.1.155 - - [10/Sep/2024:02:13:29 +0000] "GET /apps HTTP/1.1" 200 8245 "-" "ELB-HealthChecker/2.0" "-"

[yhamade-vendr]

Also, I should add that I've checked the resend console and the messages aren't showing in there either, however my test messages are.

[yhamade-vendr]

@crazywoola I was able to track down the problem and cause.

First, the error itself is being generated by this line when it goes to generate the invite token: https://github.com/langgenius/dify/blob/cee0c51dbb412d1420385d81624d5a61b52ab8ec/api/services/account_service.py#L618

That's actually what's creating the error I'm seeing in the log: worker_1 | [2024-09-10 00:45:52,557: ERROR/MainProcess] consumer: Cannot connect to redis://redis:6379/1: Authentication required..

When I started troubleshooting this issue, I was reviewing the "Password" in the .env file and noticed that it, and all of the other passwords, were blank. Troubleshooting this further, it appears that the "dify_init.sh" script in the EC2 template is using IDMSv1 endpoint to pull instance metadata. On my EC2 instances, I'm enforcing IMDSv2, so the script was failing to populate the .env correctly.

Can this be updated in the next version of the EC2 image so that it uses IMDSv2 instead of IMDSv1?