CD
Cloudflare Developers2y ago
neenhouse (chris)

I m running into an `Authentication

I'm running into an Authentication error [code: 10000] error when executing wrangler dev @ 2.8.1 and I am wondering if I have the correct permission scopes to run the wrangler v2 dev command, can someone confirm if this is sufficient scoped permissions? - account (read) - user (read) - workers (write) - workers_kv (write) - workers_routes (write) - workers_scripts (write) - workers_tail (read) - d1 (write) - pages (write) - zone (read) - offline_access
No description
No description
8 Replies
neenhouse (chris)
neenhouse (chris)OP2y ago
I've pretty sure this is a scope issue, because --log-level=debug does log this:
-- START CF API RESPONSE: Forbidden 403 HEADERS: { "cf-cache-status": "DYNAMIC", "cf-ray": "7915ef313dbdfac2-SJC", "connection": "keep-alive", "content-encoding": "gzip", "content-type": "application/json", "date": "Mon, 30 Jan 2023 00:01:40 GMT", "server": "cloudflare", "set-cookie": "cflb=0H28vgHxwvgAQtjUGUFqYFDiSDreGJnUkegE3sKioTb; SameSite=Lax; path=/; expires=Mon, 30-Jan-23 02:31:41 GMT; HttpOnly, cfruid=9a2ecaa736c40e81e0df923c3c093fb372cb8183-1675036900; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None", "transfer-encoding": "chunked", "vary": "Accept-Encoding" } RESPONSE: {"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}
It is odd that this is my API request:
-- START CF API REQUEST: GET https://api.cloudflare.com/client/v4/accounts/xxxxxxxxxxxxxxx/workers/subdomain/edge-preview HEADERS: { "User-Agent": "wrangler/2.8.1" } INIT: { "headers": { "User-Agent": "wrangler/2.8.1" } }
I suppose I would expect there is a token in the request or something. I do get this error, but it doesn't seem like its necessarily relevant to an auth issue:
Failed to load .env file "/Users/xxxxxxx/Code/project/.dev.vars": Error: ENOENT: no such file or directory, open '/Users/xxxxxxx/Code/project/.dev.vars' at Object.openSync (node:fs:585:3) at Object.readFileSync (node:fs:453:35) at tryLoadDotEnv (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:119583:72) at loadDotEnv (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:119591:12) at getVarsForDev (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:128340:18) at getBindings (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144478:10) at getBindingsAndAssetPaths (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144439:20) at getDevReactElement (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144150:40) at startDev (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144206:60) at processTicksAndRejections (node:internal/process/task_queues:96:5) { errno: -2, syscall: 'open', code: 'ENOENT', path: '/Users/xxxxxxx/Code/project/.dev.vars' }
Max (@rozenmd)
Max (@rozenmd)2y ago
does wrangler logout and then wrangler login help? also does the accountId reported by whoamo match the accountId in the failing URL?
neenhouse (chris)
neenhouse (chris)OP2y ago
logout/login doesn't seem to help, and the account IDs do match up fwiw: deleting the Authorization header from the logs done for security reasons 👍 https://github.com/cloudflare/wrangler2/blob/5dee1694b132688c888819b152ed97e9d5f246cb/packages/wrangler/src/cfetch/internal.ts#L39 My user level permissions are like: 
"permissions": [
          "#access:read",
          "#analytics:read",
          "#auditlogs:read",
          "#billing:read",
          "#blocks:read",
          "#dns_records:read",
          "#fbm:read",
          "#healthchecks:read",
          "#http_applications:read",
          "#image:read",
          "#lb:read",
          "#legal:read",
          "#logs:read",
          "#magic:read",
          "#member:read",
          "#organization:read",
          "#ssl:read",
          "#stream:read",
          "#subscription:read",
          "#teams:read",
          "#waf:read",
          "#waitingroom:read",
          "#webhooks:read",
          "#worker:read",
          "#zaraz:read",
          "#zone:read",
          "#zone_settings:read",
          "#zone_versioning:read"
        ],
"permissions": [
          "#access:read",
          "#analytics:read",
          "#auditlogs:read",
          "#billing:read",
          "#blocks:read",
          "#dns_records:read",
          "#fbm:read",
          "#healthchecks:read",
          "#http_applications:read",
          "#image:read",
          "#lb:read",
          "#legal:read",
          "#logs:read",
          "#magic:read",
          "#member:read",
          "#organization:read",
          "#ssl:read",
          "#stream:read",
          "#subscription:read",
          "#teams:read",
          "#waf:read",
          "#waitingroom:read",
          "#webhooks:read",
          "#worker:read",
          "#zaraz:read",
          "#zone:read",
          "#zone_settings:read",
          "#zone_versioning:read"
        ],
and we're opted into these betas: 
"betas": [
      "api_tokens_beta",
      "zone_level_access_beta"
    ]
"betas": [
      "api_tokens_beta",
      "zone_level_access_beta"
    ]
I also have 
 "has_enterprise_zones": true, 
 "has_enterprise_zones": true,
active Yeah, seems like a permission thing. When I run dev with the other account ID where I have all the permissions, I don't get that error....
neenhouse (chris)
neenhouse (chris)OP2y ago
Figured it out! You need a permission "Workers Script" set to "Edit" to use the development target. This was biting us because we have default read-only permission set for our organization. Is that expected behavior?
No description
Max (@rozenmd)
Max (@rozenmd)2y ago
ah yep sorry I missed that, I haven't spoken to many of our users with that setup
neenhouse (chris)
neenhouse (chris)OP2y ago
I wonder if there is a way to support this without requiring the edit permission? That would truly be zero config for the dev experience...
Max (@rozenmd)
Max (@rozenmd)2y ago
in terms of what wrangler can do - we should probably add an explicit error if the Workers Script permission isn't Edit, maybe default you to wrangler dev --local each time you change code while wrangler dev is running, you're actually redeploying a new version on a preview Worker, hence the error
neenhouse (chris)
neenhouse (chris)OP2y ago
Makes sense. Will use that guidance. FWIW- internally we're going to figure out a way to just grant that permission because the integrated preview environment from Dev is pretty sweet
Want results from more Discord servers?
Add your server