Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"requested tags are invalid or not permitted" with scoped OAuth Clients and 2 or more tags approved for this client #437

Open
artmakh opened this issue Sep 24, 2024 · 1 comment
Open

"requested tags are invalid or not permitted" with scoped OAuth Clients and 2 or more tags approved for this client #437

artmakh opened this issue Sep 24, 2024 · 1 comment
Assignees
@mpminardi
Labels
bug Something isn't working

Comments

@artmakh
Copy link

artmakh commented Sep 24, 2024
edited
Loading

Describe the bug

When you're trying to create resource tailscale_tailnet_key using scoped OAuth Client, with more than 1 allowed tag, but you create tailscale_tailnet_key only for 1 tag, you receive error requested tags are invalid or not permitted
When you use API access tokens or OAuth Client with only 1 allowed tag tag:test_tag, you get no errors.

To Reproduce
Steps to reproduce the behaviour:

  1. Create OAuth Client with Devices read\write permissions with allowed two tags tag:test_tag, tag:test_tag_2
  2. Export TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET to env
  3. Use this terraform code to create tailscale_tailnet_key resource
provider "tailscale" {
     tailnet = "yours-tailnet"
     scopes  = ["devices"]
}
    
    
resource "tailscale_tailnet_key" "this" {
     reusable      = true
     ephemeral     = true
     preauthorized = true
   
     recreate_if_invalid = "always"
   
     tags = [
       "tag:test_tag"
     ]
}
  1. Try to apply this code
  2. Get an err requested tags [tag:test_tag] are invalid or not permitted

Expected behaviour
tailscale_tailnet_key created

Desktop (please complete the following information):

  • OS: Linux
  • Terraform Version: 1.3.4
  • Provider Version: Tested and reproduced on both 0.16.2 and 0.17.1
@artmakh artmakh added the bug Something isn't working label Sep 24, 2024
@mpminardi
Copy link
Member

Hey @artmakh !

Clarification on this behaviour from our knowledge base:

When you create an OAuth client with the scope devices, you must select one or more tags, which can be any tag or set of tags in your tailnet. Auth keys created with this client must have those exact tags, or tags owned by the client's tags. Additionally, these tags need to be specified in the API call.

This means that if you have something like the following in the policy file:

"tagOwners": {
  "tag:test-tag": ["autogroup:admin", "autogroup:owner"],
  "tag:test-tag-2": ["autogroup:admin", "autogroup:owner"],
}

and both test-tag and test-tag-2 were added to the OAuth client when it was created, then the tags section on tailscale_tailnet_key must include both test-tag and test-tag-2.

What you might want to be doing here instead if you want to be able to specify either test-tag or test-tag-2 in the tags for tailscale_tailnet_key is have something like the following in the policy file:

"tagOwners": {
  "tag:main":  ["autogroup:admin", "autogroup:owner"],
  "tag:test-tag": ["autogroup:admin", "autogroup:owner", "tag:main"],
  "tag:test-tag-2": ["autogroup:admin", "autogroup:owner", "tag:main"],
}

and then add tag:main to the OAuth client you are using. This scenario is allowed as both test-tag and test-tag-2 are owned by tag:main.

With all that being said: the error message here is definitely confusing. Will take a look into this on our end.

@mpminardi mpminardi self-assigned this Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mpminardi mpminardi

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mpminardi @artmakh