search

rockcarver / frodo-cli

A CLI to manage ForgeRock platform deployments supporting Identity Cloud tenants, ForgeOps deployments, and classic deployments.
MIT License
17 stars 16 forks source link

frodo logs tail doesn't seem to be using service account #216

Closed jgdtech closed 1 year ago

jgdtech commented 1 year ago

Frodo CLI version

Provide output of frodo -v You seem to be running the NPM package Installed versions: cli: v0.22.3 lib: v0.18.7 node: v18.14.0

Describe the issue

dt=$(date +%s); frodo logs tail -k --debug --curlirize -c am-core -l 3 stag 2>&1 >& am-core.$dt.log

Note the "2FA is enabled and required for this user..." below: and it is using the admin account, not the service account

cat am-core.$dt.log 0 [sig] sh 5511! sigpacket::process: Suppressing signal 18 to win32 process (pid 374620) FrodoCommand.handleDefaultArgsAndOpts: Handling default option 'curlirize'. AuthenticateOps.getTokens: start curl -X GET -H "User-Agent:@rockcarver/frodo-lib/0.18.7" -H "X-ForgeRock-TransactionId:frodo-703437cd-570f-4de7-9d10-626d0b1058a0" -H "Content-Type:application/json" -H "Accept-API-Version:resource=1.1" "https://openam-cut-staging.id.forgerock.io/am/json/serverinfo/*" AuthenticateOps.getCookieName: cookieName=4358cf173ed2304 AuthenticateOps.getTokens: Authenticating with user account first.last@example.com curl -X POST -H "Content-Type:application/json" -H "User-Agent:@rockcarver/frodo-lib/0.18.7" -H "X-ForgeRock-TransactionId:frodo-703437cd-570f-4de7-9d10-626d0b1058a0" -H "Accept-API-Version:resource=2.0, protocol=1.0" -H "X-OpenAM-Username:first.last@example.com" -H "X-OpenAM-Password:" --data '{}' "https://openam-cut-staging.id.forgerock.io/am/json/realms/root/authenticate" 2FA is enabled and required for this user... npm i[365264]: c:\ws\src\node_file.cc:1864: Assertion `(argc) == (5)' failed. 1: 00007FF71F5C012F node_api_throw_syntax_error+175407 2: 00007FF71F545AF6 SSL_get_quiet_shutdown+63110 3: 00007FF71F545ED2 SSL_get_quiet_shutdown+64098 4: 00007FF71F53A457 SSL_get_quiet_shutdown+16359 5: 00007FF71FF98AAD v8::internal::Builtins::code+248237 6: 00007FF71FF986B9 v8::internal::Builtins::code+247225 7: 00007FF71FF9897C v8::internal::Builtins::code+247932 8: 00007FF71FF987E0 v8::internal::Builtins::code+247520 9: 00007FF72007D6C1 v8::internal::SetupIsolateDelegate::SetupHeap+558449 10: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772 11: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772 12: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772 13: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772 14: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772 15: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772 16: 00007FF720035103 v8::internal::SetupIsolateDelegate::SetupHeap+262067 17: 00007FF7200CDEF5 v8::internal::SetupIsolateDelegate::SetupHeap+888229 18: 00007FF72002680C v8::internal::SetupIsolateDelegate::SetupHeap+202428 19: 00007FF71FFFF4DB v8::internal::SetupIsolateDelegate::SetupHeap+41867 20: 00007FF71FEC999A v8::internal::Execution::CallWasm+1562 21: 00007FF71FEC9ABB v8::internal::Execution::CallWasm+1851 22: 00007FF71FECA86A v8::internal::Execution::TryCallScript+346 23: 00007FF71FEA338A v8::internal::MicrotaskQueue::RunMicrotasks+410 24: 00007FF71FEA312A v8::internal::MicrotaskQueue::PerformCheckpointInternal+74 25: 00007FF71FF98AAD v8::internal::Builtins::code+248237 26: 00007FF71FF986B9 v8::internal::Builtins::code+247225 27: 00007FF71FF9897C v8::internal::Builtins::code+247932 28: 00007FF71FF987E0 v8::internal::Builtins::code+247520 29: 00007FF72007D6C1 v8::internal::SetupIsolateDelegate::SetupHeap+558449 30: 00007FF6A02AF7A1

jgdtech commented 1 year ago

I did find in my case that somehow when I did the "frodo conn save", it did not create the log api key or secret. I created it separately then specified the --log-api-key [key] and --log-api-secret [secret] in the "frodo conn save" and now I can view logs.

This was when I used the FRODO_SA_ID and FRODO_SA_JWK as mentioned here: https://community.forgerock.com/t/frodo-service-accounts-secure-ci-cd-in-forgerock-identity-cloud/2065

vscheuber commented 1 year ago

@jgdtech yes, you are right: Service accounts today cannot create API credentials. That's why this is the only command today that even if your connection profile contains a service account, it leverages the admin account to create the API keys.

When I updated frodo to support service accounts, I also changed how we generate the log API key: Frodo now creates them in frodo conn save where as in the past we would sneakily create it when running any of the frodo logs commands.

I honestly didn't give much thought to connection profiles created before this change, and I think you fell exactly into that pot hole...

Do you still think Frodo should behave differently or is it good enough that things will work smoothly for new connection profiles?

If you think this needs a code change, please describe what you think the code should do. If you are happy the way it works now that you found your solution, please close this issue or indicate and I will close it.

jgdtech commented 1 year ago

I think it's fine. One thing I did notice recently was that in my dev environment I believe, when I tried frodo conn save passing the admin account and credential, with MFA enabled, I didn't get the prompt for entering the MFA from frodo? That may have resolved my issue if frodo asked for the MFA when it's enabled for the admin account?

On Wed, Mar 22, 2023, 19:55 Volker Scheuber @.***> wrote:

@jgdtech https://github.com/jgdtech yes, you are right: Service accounts today cannot create API credentials. That's why this is the only command today that even if your connection profile contains a service account, it leverages the admin account to create the API keys.

When I updated frodo to support service accounts, I also changed how we generate the log API key: Frodo now creates them in frodo conn save where as in the past we would sneakily create it when running any of the frodo logs commands.

I honestly didn't give much thought to connection profiles created before this change, and I think you fell exactly into that pot hole...

Do you still think Frodo should behave differently or is it good enough that things will work smoothly for new connection profiles?

If you think this needs a code change, please describe what you think the code should do. If you are happy the way it works now that you found your solution, please close this issue or indicate and I will close it.

— Reply to this email directly, view it on GitHub https://github.com/rockcarver/frodo-cli/issues/216#issuecomment-1480473146, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXBIWNDZBR7AO3E5Z4QRXLW5OUQ3ANCNFSM6AAAAAAVZSVYTA . You are receiving this because you were mentioned.Message ID: @.***>