Prisma1: Deployment with PRISMA_CLOUD_SESSION_KEY-env-var fails sometimes

Created on 20 Aug 2018  Â·  4Comments  Â·  Source: prisma/prisma1

Describe the bug

  • I'm using SemaphoreCI to continously deploy Prisma datamodel changes to our Prisma service
  • I set the value for the PRISMA_CLOUD_SESSION_KEY in the CI/CD environment with the cloudSessionKey-value found in ~/.prisma/config.yml on my local dev machine.
  • Deployment works (!)
  • Sometimes, though, it fails, showing the following message.
Authenticating... ✔
Already signed in

ERROR: Not authorized. Please provide a proper 'Authorization' header

{
  "data": {
    "generateClusterToken": null
  },
  "errors": [
    {
      "message": "Not authorized. Please provide a proper 'Authorization' header",
      "locations": [
        {
          "line": 3,
          "column": 9
        }
      ],
      "path": [
        "generateClusterToken"
      ],
      "code": 403
    }
  ],
  "status": 200
}

To Reproduce

That's difficult, see the description above, as said it only happens after a while.

Expected behavior
A once set PRISMA_CLOUD_SESSION_KEY should work - otherwise our CI/CD becomes flaky.

Versions (please complete the following information):

  • OS: [Ubuntu 16.04]
  • prisma CLI: [prisma/1.10.1] (fails with other versions too)

How to make it work again

  1. Run prisma login on your local dev machine
  2. Copy the newly created cloudSessionKey from the file ~/.prisma/config.yml
  3. Use it as new env var in your CI/CD
  4. It works again. ... until next time.

I was wondering whether the env var keys expired after a while?

bu1-repro-available
Source
picture nickluger

Most helpful comment

Thanks for the question @nickluger !
We're indeed planning to add long-living tokens, but don't have them yet.
Right now you need to use the authenticateWithEmail mutation of the cloud api: https://api.cloud.prisma.sh/ to get a new token

picture timsuchanek on 23 Aug 2018
👍2

All 4 comments

I was wondering whether the env var keys expired after a while?

Yes, the cloudSessionKey expires after a month. You can check the expiration date of your specific JWT at a website like https://jwt.io.

This is not suitable for a CI environment - I will look into current workarounds for this.

Note that we are thinking about a more advanced authentication system for Prisma Cloud as described here.

marktani picture marktani on 23 Aug 2018

Thanks for the question @nickluger !
We're indeed planning to add long-living tokens, but don't have them yet.
Right now you need to use the authenticateWithEmail mutation of the cloud api: https://api.cloud.prisma.sh/ to get a new token

timsuchanek picture timsuchanek on 23 Aug 2018
👍2

Thanks for bringing this up @nickluger, and your answer @timsuchanek!

We will take this friction into account when laying out the new authentication system in https://github.com/prisma/prisma-cloud-feedback/issues/90.

marktani picture marktani on 23 Aug 2018
👍1

Thank you, i will try to use the cloud API in the meantime.

nickluger picture nickluger on 28 Aug 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

akoenig picture akoenig  Â·  3Comments
thomaswright picture thomaswright  Â·  3Comments
jannone picture jannone  Â·  3Comments
tbrannam picture tbrannam  Â·  3Comments
marktani picture marktani  Â·  3Comments