Ubuntu telegraf $INFLUX_TOKEN write metrics errors

This is my first telegraf installation.
Ubuntu 20.04

I have created an API token for the bucket with read/write access permissions.
export INFLUX_TOKEN= .......
When I add this token directly in telegraf.conf everything works fine.
But when I use token = "$INFLUX_TOKEN" (in telegraf.conf) I get the following errors:

[agent] Error writing to outputs.influxdb_v2: failed to write metric (401 Unauthorized): unauthorized: unauthorized

The output of echo $INFLUX_TOKEN or printenv INFLUX_TOKEN is the correct token.

Hi,

How are you running telegraf? Is the same user that exports the token, the user who is running telegraf?

/lib/systemd/system/telegraf.service

[Unit]
Description=The plugin-driven server agent for reporting metrics into InfluxDB
Documentation=https://github.com/influxdata/telegraf
After=network.target

[Service]
EnvironmentFile=-/etc/default/telegraf
User=telegraf
ExecStart=/usr/bin/telegraf -config /etc/telegraf/telegraf.conf -config-directory /etc/telegraf/telegraf.d $TELEGRAF_OPTS
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
RestartForceExitStatus=SIGPIPE
KillMode=control-group

[Install]
WantedBy=multi-user.target

root:root 0644

export INFLUX_TOKEN by ‘sudo su’

I am not certain that makes the variable persistent; only in the shell that you created. More importantly, the user that is used to launch the systemd service is telegraf.

If you must do it this way, you can create an environment variables file for systemd and set the variable there: For example, create /etc/systemd/system/telegraf.service.d/myenv.conf:

[Service]
Environment="INFLUX_TOKEN=aaaaaaaaaaaaaaaa"

This works with root:root
But changing ownership of /lib/systemd/system/telegraf.service to telegraf:telegraf didn’t help (w/o adding /etc/systemd/system/telegraf.service.d/myenv.conf) (added INFLUX_TOKEN to /etc/environment)

But changing ownership of /lib/systemd/system/telegraf.service to telegraf:telegraf didn’t help

Why are you changing ownership?

Is that what you meant?

no :slight_smile: If you look at the excerpt of the systemd service file that you quoted you will see:

User=telegraf

This specifies that telegraf is run as the telegraf user.

So your recommendation on ‘/etc/systemd/system/telegraf.service.d/myenv.conf’ is the only fix for this problem?
I was confused by your “More importantly, the user that is used to launch the systemd service is telegraf.”
It was already in the telegraf.service
Environment variable INFLUX_TOKEN was accessible. Now I added it as a persistent into /etc/environment.

That is one option. You can also put the token in the config file itself. If you are concerned with others viewing the file you can restrict the read to only the user and group who own it.

Now I added it as a persistent into /etc/environment.

Be aware that /etc/environment is a system-wide file. This means it applies to all users who log into the system.

Is this a bug? The telegraf can’t access an environment variable even in /etc/environment with 644 permissions, it doesn’t seem right to me.
And protecting telegraf.conf (in case of placing a token in this file directly) is something that involves creation of a new group and adding telegraf to this group and other accounts that need access to this file, changing ownership and permissions is not very convenient way.
It reminds me of how tls is enabled in InfluxDB (the host installation), when you need to give access to the private key to influxdb user.

As I said above, that makes that variable available to users who login. You are running telegraf as a service via systemd. You need to use the systemd methods that are available to you which I have already laid out.

And protecting telegraf.conf (in case of placing a token in this file directly) is something that involves creation of a new group and adding telegraf to this group and other accounts that need access to this file, changing ownership and permissions is not very convenient way.

Yes, your use case may require creating a new group if you need others to access this file for some reason. However, if you need others to access it, then you probably need them to be able to control the telegraf service so it restarts and collects the new file. In which case, they probably already have root/sudo access. At the very least if you only want root/sudo to have access to viewing it, then you can drop that other bit.

@jpowers, Thank you for clarifying that.

It seems this token can be added to this file too.
INFLUX_TOKEN=aaaaaaaa