Hi,
I want to add an user to my organization. In the past, I used to follow the Instructions to creating users via CLI which worked back then. But today, I followed the instructions and I got an
failed to create user "xxxxx": 401 Unauthorized: write:users is unauthorized
Error, even though I used my All Access Token. I looked at the Scopes of the Token via the Influx UI and I only had read / write access on the scope “users-my user name”. I am an owner of the organization, so I should be able to create new users, or am I missing something?
Thanks!
InfluxDB v2.4.0 in a Docker Container on a Debian Machine 4.19.249-2 (2022-06-30)
Hello @brimstone,
That is odd. Can you please try creating a new token and trying again?
I’d also encourage you to upgrade.
If this problem still persists I’m happy to create an issue for you or you can create one here.
Hi @Anaisdg ,
thanks for your reply. I updated Influx to v2.6.1 and created a new All Access Token. Unfortunately, the user creation still won’t work with the “user:write” scope missing. In the newly created Token, the “All Users” Scope is now read / write accessible, but I have noticed that I can only read on “All Orgs” but not write.
Does this imply, that I cannot write on any Org, especially my own Org? This would somehow explain, why I cannot create new Users on any Org.
If this is still unexplainable, I’ll create a ticket.
I’ve looked further into this issue and the more I researched, the more confused I am.
While searching the docs for more hints, I found out about the concept of the operator token, which is the all access token for all orgs. The problem is, that I cannot create an operator token via CLI, since I don’t have a token with the read:orgs permission (the error message when trying to create a new operator token with my all access token is
Error: could not write auth with provided arguments: 403 Forbidden: permission read:orgs is not allowed: read:orgs is unauthorized)
I used the influx auth list command to get a full list of all tokens and their respective scopes. My all access token has the read:/orgs/<OrgID> scope, but not the write:/orgs/<OrgID> (or even write:/orgs?) scope. I cannot create an operator token from the UI (I can either create an All Access or a Custom Token, where both types of tokens have neither the write:orgs nor the read0:orgs scope). So I have no token to create an operator token and no token with the sufficient permissions to create a new user in my own org despite being the owner of the org.
Hey @brimstone, to clear a few things up:
- To create a User, you do need an Operator token as seen here.
- The Operator token is created on setup of the instance. If you are the operator, you can go to your tokens page and there should be a token that says
username's Token. You will not be able to read that token, but you can clone it and use the cloned token. You can also use login to the CLI using username & password and create users that way (again, assuming you are actually the operator).
Hi @Jeffrey
Thanks for your response. I recently discovered the concept of operator tokens. Unfortunately, I don’t have an operator token in my InfluxDB instance. I don’t know why, but thats the case. I recently opened another thread here to solve this issue. I’ve seen that you are the one who responded in the mentioned GitHub Thread. Could you help me resolve this Issue?
