C
Coder.com7mo ago
tausq

coder agent using token auth

Hi, I'm trying to start a coder agent using libvirt/KVM (not in a public cloud) and am having some challenges getting the coder agent to authenticate to my self-hosted coderd. In my terraform I use a remote-exec provisioner to do the init, like this:
resource "libvirt_domain" "domain-ubuntu" {
...
provisioner "remote-exec" {
inline = [
"bash -c 'export CODER_AGENT_TOKEN=${nonsensitive(coder_agent.main.token)}; ${coder_agent.main.init_script}'"
]
}
}
resource "libvirt_domain" "domain-ubuntu" {
...
provisioner "remote-exec" {
inline = [
"bash -c 'export CODER_AGENT_TOKEN=${nonsensitive(coder_agent.main.token)}; ${coder_agent.main.init_script}'"
]
}
}
I verified the token is correctly passed to the agent, but the agent gets 401 errors. Poking around in the db, the token is not populated in the workspace_agents table. Interestingly, if I kill the coder agent so that terraform apply completes, then I do see an entry getting added to workspace_agents with the right auth token, and manually doing a curl using that token works, so it looks like there is some sequencing issue here? What am I doing wrong?
7 Replies
Codercord
Codercord7mo ago
<#1238862779243429970>
Category
Help needed
Product
Coder OSS (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
Cian
Cian7mo ago
the agent token isn't valid until the workspace build is completed and the remote-exec won't finish as that's essentially running the coder agent, so the build will never 'complete' you may want to look into making a systemd unit for the coder agent
Cian
Cian7mo ago
https://github.com/coder/coder/blob/main/examples/templates/incus/main.tf#L179-L237 this is for a different provider, but same principle applies
GitHub
coder/examples/templates/incus/main.tf at main · coder/coder
Provision remote development environments via Terraform - coder/coder
Cian
Cian7mo ago
write a systemd unit to start the agent, write the token to the unit env, and add a watcher so that the agent gets restarted when the token changes alternatively, if there's a way to do the remote-exec in the background that might also work
Phorcys
Phorcys7mo ago
hey, you should look into using cloud-init instead of remote-exec to run the agent script if possible
Phorcys
Phorcys7mo ago
otherwise if you can't do that then remote-exec in the background should be fine
Want results from more Discord servers?
Add your server