Failed to get a RPST token from Proxymux

[sherwoodzern]

Attempting to use the SDK sample code but it fails because it is unable to retrieve the RPST token.

/**

• Copyright (c) 2020, 2021 Oracle and/or its affiliates. All rights reserved.
• This software is dual-licensed to you under the Universal Permissive License (UPL) 1.0 as shown at https://oss.oracle.com/licenses/upl or Apache License 2.0 as shown at http://www.apache.org/licenses/LICENSE-2.0. You may choose either license. */

/**

• This is an example that shows how to use oke workload identity auth provider */

var identity = require("oci-identity"); var common = require("oci-common");

(async () => { const authProvider = await common.OkeWorkloadIdentityAuthenticationDetailsProvider.builder(); const compartmentId = await authProvider.getStringClaim("res_tenant");

const identityClient = new identity.IdentityClient({ authenticationDetailsProvider: authProvider });

identityClient.close(); })();

/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169 throw Error(Failed to call Proxymux, error: ${e}. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}); ^

Error: Failed to call Proxymux, error: TypeError: fetch failed. Failed to get a RPST token from Proxymux. See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm for more info. at X509FederationClientForOkeWorkloadIdentity. (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169:23) at Generator.throw () at rejected (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:10:65) at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Node.js v20.15.0

[sherwoodzern]

I executed additional tests and with some logging information. I still get the same error, but I have a bit more information.

{"name":"workloadIdentity","hostname":"workloadauth-54d8796969-dz785","pid":1,"level":20,"msg":"The OciEnabledServiceSet is empty, all OCI services are enabled","time":"2024-07-05T21:46:46.590Z","v":0} {"name":"workloadIdentity","hostname":"workloadauth-54d8796969-dz785","pid":1,"level":20,"msg":"Calling operation IdentityClient#listRegions.","time":"2024-07-05T21:46:46.591Z","v":0} {"name":"workloadIdentity","hostname":"workloadauth-54d8796969-dz785","pid":1,"level":20,"msg":"Retry policy to use: MaximumNumberAttempts=7, MaxSleepBetween=30, ExponentialBackoffBase=2","time":"2024-07-05T21:46:46.593Z","v":0} Request failed with Exception : [object Object] Retrying request -> Total Attempts : 1, Retrying after 1.913 seconds... /app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169 throw Error(Failed to call Proxymux, error: ${e}. ${OKE_WORKLOAD_IDENTITY_GENERIC_ERROR}); ^

Error: Failed to call Proxymux, error: TypeError: fetch failed. Failed to get a RPST token from Proxymux. See https://docs.oracle.com/en-us/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm for more info. at X509FederationClientForOkeWorkloadIdentity. (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:169:23) at Generator.throw () at rejected (/app/node_modules/oci-common/lib/auth/X509-federation-client-for-oke-workload-identity.js:10:65) at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Node.js v20.12.2

the proxymux endpoint is: federationClient: X509FederationClientForOkeWorkloadIdentity { proxymuxEndpoint: 'https://10.96.0.1:12250/resourcePrincipalSessionTokens',

[T-iny]

@sherwoodzern Did you fixed this issue? I'm getting the same error.

[sherwoodzern]

@T-iny

I did fix the issue. 2 items to correct the issue.

1. You must be using a version of nodejs less than 20.
2. add NODE_OPTIONS='--no-experimental-fetch'

Above these 2 items also add a line of code if you don't have it: identityClient.region = common.Region.fromRegionId(''); where is something like 'us-ashburn-1'.

The client could be database.client, etc.

If you are attempting to run the example as provided it will not work. As an example I had to modify the creation of the authentication provider to the following:

const authProvider = await new common.OkeWorkloadIdentityAuthenticationDetailsProvider.OkeWorkloadIdentityAuthenticationDetailsProviderBuilder().build();

I hope this helps.

[T-iny]

@sherwoodzern Thank you so much!!!!! You saved my life! You're so kind!