Closed jgdtech closed 1 year ago
I did find in my case that somehow when I did the "frodo conn save", it did not create the log api key or secret. I created it separately then specified the --log-api-key [key] and --log-api-secret [secret] in the "frodo conn save" and now I can view logs.
This was when I used the FRODO_SA_ID and FRODO_SA_JWK as mentioned here: https://community.forgerock.com/t/frodo-service-accounts-secure-ci-cd-in-forgerock-identity-cloud/2065
@jgdtech yes, you are right: Service accounts today cannot create API credentials. That's why this is the only command today that even if your connection profile contains a service account, it leverages the admin account to create the API keys.
When I updated frodo to support service accounts, I also changed how we generate the log API key: Frodo now creates them in frodo conn save
where as in the past we would sneakily create it when running any of the frodo logs
commands.
I honestly didn't give much thought to connection profiles created before this change, and I think you fell exactly into that pot hole...
Do you still think Frodo should behave differently or is it good enough that things will work smoothly for new connection profiles?
If you think this needs a code change, please describe what you think the code should do. If you are happy the way it works now that you found your solution, please close this issue or indicate and I will close it.
I think it's fine. One thing I did notice recently was that in my dev environment I believe, when I tried frodo conn save passing the admin account and credential, with MFA enabled, I didn't get the prompt for entering the MFA from frodo? That may have resolved my issue if frodo asked for the MFA when it's enabled for the admin account?
On Wed, Mar 22, 2023, 19:55 Volker Scheuber @.***> wrote:
@jgdtech https://github.com/jgdtech yes, you are right: Service accounts today cannot create API credentials. That's why this is the only command today that even if your connection profile contains a service account, it leverages the admin account to create the API keys.
When I updated frodo to support service accounts, I also changed how we generate the log API key: Frodo now creates them in frodo conn save where as in the past we would sneakily create it when running any of the frodo logs commands.
I honestly didn't give much thought to connection profiles created before this change, and I think you fell exactly into that pot hole...
Do you still think Frodo should behave differently or is it good enough that things will work smoothly for new connection profiles?
If you think this needs a code change, please describe what you think the code should do. If you are happy the way it works now that you found your solution, please close this issue or indicate and I will close it.
— Reply to this email directly, view it on GitHub https://github.com/rockcarver/frodo-cli/issues/216#issuecomment-1480473146, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAXBIWNDZBR7AO3E5Z4QRXLW5OUQ3ANCNFSM6AAAAAAVZSVYTA . You are receiving this because you were mentioned.Message ID: @.***>
Frodo CLI version
Provide output of
frodo -v
You seem to be running the NPM package Installed versions: cli: v0.22.3 lib: v0.18.7 node: v18.14.0Describe the issue
dt=$(date +%s); frodo logs tail -k --debug --curlirize -c am-core -l 3 stag 2>&1 >& am-core.$dt.log
Note the "2FA is enabled and required for this user..." below: and it is using the admin account, not the service account
cat am-core.$dt.log 0 [sig] sh 5511! sigpacket::process: Suppressing signal 18 to win32 process (pid 374620) FrodoCommand.handleDefaultArgsAndOpts: Handling default option 'curlirize'. AuthenticateOps.getTokens: start curl -X GET -H "User-Agent:@rockcarver/frodo-lib/0.18.7" -H "X-ForgeRock-TransactionId:frodo-703437cd-570f-4de7-9d10-626d0b1058a0" -H "Content-Type:application/json" -H "Accept-API-Version:resource=1.1" "https://openam-cut-staging.id.forgerock.io/am/json/serverinfo/*" AuthenticateOps.getCookieName: cookieName=4358cf173ed2304 AuthenticateOps.getTokens: Authenticating with user account first.last@example.com curl -X POST -H "Content-Type:application/json" -H "User-Agent:@rockcarver/frodo-lib/0.18.7" -H "X-ForgeRock-TransactionId:frodo-703437cd-570f-4de7-9d10-626d0b1058a0" -H "Accept-API-Version:resource=2.0, protocol=1.0" -H "X-OpenAM-Username:first.last@example.com" -H "X-OpenAM-Password:" --data '{}' "https://openam-cut-staging.id.forgerock.io/am/json/realms/root/authenticate"
2FA is enabled and required for this user...
npm i[365264]: c:\ws\src\node_file.cc:1864: Assertion `(argc) == (5)' failed.
1: 00007FF71F5C012F node_api_throw_syntax_error+175407
2: 00007FF71F545AF6 SSL_get_quiet_shutdown+63110
3: 00007FF71F545ED2 SSL_get_quiet_shutdown+64098
4: 00007FF71F53A457 SSL_get_quiet_shutdown+16359
5: 00007FF71FF98AAD v8::internal::Builtins::code+248237
6: 00007FF71FF986B9 v8::internal::Builtins::code+247225
7: 00007FF71FF9897C v8::internal::Builtins::code+247932
8: 00007FF71FF987E0 v8::internal::Builtins::code+247520
9: 00007FF72007D6C1 v8::internal::SetupIsolateDelegate::SetupHeap+558449
10: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772
11: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772
12: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772
13: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772
14: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772
15: 00007FF720000FD4 v8::internal::SetupIsolateDelegate::SetupHeap+48772
16: 00007FF720035103 v8::internal::SetupIsolateDelegate::SetupHeap+262067
17: 00007FF7200CDEF5 v8::internal::SetupIsolateDelegate::SetupHeap+888229
18: 00007FF72002680C v8::internal::SetupIsolateDelegate::SetupHeap+202428
19: 00007FF71FFFF4DB v8::internal::SetupIsolateDelegate::SetupHeap+41867
20: 00007FF71FEC999A v8::internal::Execution::CallWasm+1562
21: 00007FF71FEC9ABB v8::internal::Execution::CallWasm+1851
22: 00007FF71FECA86A v8::internal::Execution::TryCallScript+346
23: 00007FF71FEA338A v8::internal::MicrotaskQueue::RunMicrotasks+410
24: 00007FF71FEA312A v8::internal::MicrotaskQueue::PerformCheckpointInternal+74
25: 00007FF71FF98AAD v8::internal::Builtins::code+248237
26: 00007FF71FF986B9 v8::internal::Builtins::code+247225
27: 00007FF71FF9897C v8::internal::Builtins::code+247932
28: 00007FF71FF987E0 v8::internal::Builtins::code+247520
29: 00007FF72007D6C1 v8::internal::SetupIsolateDelegate::SetupHeap+558449
30: 00007FF6A02AF7A1