How do I create a generic user to create and manage tokens?

Hi folks,

I’ve recently migrated my v1.8 InfluxDB OSS environment to v2.0. I am now trying to follow the create a token docs to create a generic user to manage tokens.

The docs don’t say how to create the user so I have simply created a new user in the CLI using the following command:

export INFLUX_USERNAME="MY_ADMIN_USERNAME"
export INFLUX_PASSWORD="MY_ADMIN_PASSWORD"
influx user create -n 'my-token-manager-username' -p 'some-password' -o 'my-org-name'

The user created successfully and I can use it to log in to the InfluxDB GUI. However when I try and create a token in the GUI I get the following error:

Failed to create tokens: write:orgs/id-redacted/authorizations is unauthorized

My guess is that this new user doesn’t have the necessary privileges to issue tokens, but I can’t find anything in the v2.0 docs which tells me how to go about granting those permissions.

Grateful if anyone can shine a little wisdom on what I’m doing wrong here.

Cheers,

Edd

You should be able to create a new token without creating a new user, and just give the token a limit scope.

Hi @mhall119 , thanks for replying.

Are you suggesting that I use my administrative user to create the new token? Would the token then belong to the administrative user? Can you elaborate on what the token limit scope would achieve?

Many thanks,

Edd

You can give a token a limited scope regardless of what user account created it. For example, if you just want it to be able to write data to a specific bucket, and nothing else (ideal for your data-collection agent), you can create a token that only has write access, and only to that one bucket. That way if somebody gains access to your token, the worst thing they can do is write bad data to that one bucket.

Understood, thanks for the explanation.

I’m keen to follow the approach recommended by the docs and like the separation of concerns that would result from this approach. How would I go about granting a non-admin user the requisite permissions to issue tokens?

I am running into the same problem here. New user creation works without problems, but when this new user tries to create tokens I get the same error.

For my usecase I need to be able to create new user accounts in order for other people to manage access tokens. Anyone has ideas on how to fix user permissions the correct way?

Edit:
Guess I found the solution:

# If someone is a member already remove them first
influx org members remove --member MEMBERID
# Now add them to the organization as owner
influx org members add --member MEMBERID --name ORGNAME --owner

This might have some security implications, so be careful.