Skip to content

Is it possible to use cluster-scoped Rancher API tokens with the Rancher CLI or Terraform provider?

This document (000021440) is provided subject to the disclaimer at the end of this document.

Environment

  • A Rancher cluster, where you have created a cluster-scoped API token, as explained here.
  • Use of the cluster-scoped token to interact with Rancher using the Rancher CLI or Terraform provider.

Situation

If you try to use cluster-scoped Rancher API tokens in the Rancher CLI or Terraform provider, you may see the following error message with an authentication failure:

FATA[0000] Bad response statusCode [401]. Status [401 Unauthorized]. Body: [message=Unauthorized 401: must authenticate] from [https://<RANCHER-URL>/v3

Resolution

By design, interaction with the Rancher CLI or Terraform provider does not work with cluster-scoped API tokens. Therefore, if you see the previous error message trying to use the Rancher CLI or the Terraform provided with a cluster-scoped API token, you should switch to an un-scoped API token.

Cause

These tokens are only intended for use with the Rancher /v3 API endpoint.

Additional Information

https://github.com/rancher/rancher/issues/18639#issuecomment-575952955

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.