Cannot create user

I’m currently setting up my first InfluxDB2 instance and got stuck in the user setup process.

The setup worked fine for all things I could do in the UI. So currently there is one user and there are two organizations.
An “All Access API Token” exists for this user in each of the organizations.

The CLI command

influx org list -t TOKEN

works as expected: depending on the token I get one org or the other.

Now I’d like to create another user:

influx user create -n USERNAME -o ORGNAME -t TOKEN

Depending on which token I use in this command, I get either
Error: no organization with name "ORGNAME" (for the wrong token) or
Error: failed to create user "USERNAME": 401 Unauthorized: write:users is unauthorized (for the correct token).

It seems those tokens don’t have enough privileges to create new users.

Do I need to create some kind of “administrative token”?
What am I missing?

I think I got a bit further and found out that I need an operator token, which cannot be created from the UI.

So I tried to follow this documentation:

It states that there is a bug, which means I have to use a lengthy command to get the token I need:

influx auth create    --org ORGNAME                  \
                      --read-authorizations          \
                      --write-authorizations         \
                      --read-buckets                 \
                      --write-buckets                \
                      --read-dashboards              \
                      --write-dashboards             \
                      --read-tasks                   \
                      --write-tasks                  \
                      --read-telegrafs               \
                      --write-telegrafs              \
                      --read-users                   \
                      --write-users                  \
                      --read-variables               \
                      --write-variables              \
                      --read-secrets                 \
                      --write-secrets                \
                      --read-labels                  \
                      --write-labels                 \
                      --read-views                   \
                      --write-views                  \
                      --read-documents               \
                      --write-documents              \
                      --read-notificationRules       \
                      --write-notificationRules      \
                      --read-notificationEndpoints   \
                      --write-notificationEndpoints  \
                      --read-checks                  \
                      --write-checks                 \
                      --read-dbrp                    \
                      --write-dbrp                   \
                      --read-annotations             \
                      --write-annotations            \
                      --read-sources                 \
                      --write-sources                \
                      --read-scrapers                \
                      --write-scrapers               \
                      --read-notebooks               \
                      --write-notebooks              \
                      --read-remotes                 \
                      --write-remotes                \
                      --read-replications            \
                      --write-replications           \
                      --read-orgs                    \

But this does not succeed, either, because on the command line I am lacking privileges:

Error: could not write auth with provided arguments: 403 Forbidden: permission read:users is not allowed: read:users is unauthorized

So it seems I cannot create an operator token, because I am lacking an operator token to create it?

How to solve this?

Hello @silmaril,
What version of InfluxDB are you using?
I believe this is solved in later versions but see:

In later versions you can create an operator token like so: