CD
Cloudflare Developers17mo ago
neenhouse (chris)

I m running into an `Authentication

I'm running into an Authentication error [code: 10000] error when executing wrangler dev @ 2.8.1 and I am wondering if I have the correct permission scopes to run the wrangler v2 dev command, can someone confirm if this is sufficient scoped permissions? - account (read) - user (read) - workers (write) - workers_kv (write) - workers_routes (write) - workers_scripts (write) - workers_tail (read) - d1 (write) - pages (write) - zone (read) - offline_access
No description
No description
8 Replies
neenhouse (chris)
neenhouse (chris)17mo ago
I've pretty sure this is a scope issue, because --log-level=debug does log this:
-- START CF API RESPONSE: Forbidden 403 HEADERS: { "cf-cache-status": "DYNAMIC", "cf-ray": "7915ef313dbdfac2-SJC", "connection": "keep-alive", "content-encoding": "gzip", "content-type": "application/json", "date": "Mon, 30 Jan 2023 00:01:40 GMT", "server": "cloudflare", "set-cookie": "cflb=0H28vgHxwvgAQtjUGUFqYFDiSDreGJnUkegE3sKioTb; SameSite=Lax; path=/; expires=Mon, 30-Jan-23 02:31:41 GMT; HttpOnly, cfruid=9a2ecaa736c40e81e0df923c3c093fb372cb8183-1675036900; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None", "transfer-encoding": "chunked", "vary": "Accept-Encoding" } RESPONSE: {"success":false,"errors":[{"code":10000,"message":"Authentication error"}]}
It is odd that this is my API request:
-- START CF API REQUEST: GET https://api.cloudflare.com/client/v4/accounts/xxxxxxxxxxxxxxx/workers/subdomain/edge-preview HEADERS: { "User-Agent": "wrangler/2.8.1" } INIT: { "headers": { "User-Agent": "wrangler/2.8.1" } }
I suppose I would expect there is a token in the request or something. I do get this error, but it doesn't seem like its necessarily relevant to an auth issue:
Failed to load .env file "/Users/xxxxxxx/Code/project/.dev.vars": Error: ENOENT: no such file or directory, open '/Users/xxxxxxx/Code/project/.dev.vars' at Object.openSync (node:fs:585:3) at Object.readFileSync (node:fs:453:35) at tryLoadDotEnv (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:119583:72) at loadDotEnv (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:119591:12) at getVarsForDev (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:128340:18) at getBindings (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144478:10) at getBindingsAndAssetPaths (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144439:20) at getDevReactElement (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144150:40) at startDev (/Users/xxxxxxx/Code/project/node_modules/wrangler/wrangler-dist/cli.js:144206:60) at processTicksAndRejections (node:internal/process/task_queues:96:5) { errno: -2, syscall: 'open', code: 'ENOENT', path: '/Users/xxxxxxx/Code/project/.dev.vars' }
Max (@rozenmd)
Max (@rozenmd)17mo ago
does wrangler logout and then wrangler login help? also does the accountId reported by whoamo match the accountId in the failing URL?
neenhouse (chris)
neenhouse (chris)17mo ago
logout/login doesn't seem to help, and the account IDs do match up fwiw: deleting the Authorization header from the logs done for security reasons 👍 https://github.com/cloudflare/wrangler2/blob/5dee1694b132688c888819b152ed97e9d5f246cb/packages/wrangler/src/cfetch/internal.ts#L39 My user level permissions are like: 
"permissions": [
          "#access:read",
          "#analytics:read",
          "#auditlogs:read",
          "#billing:read",
          "#blocks:read",
          "#dns_records:read",
          "#fbm:read",
          "#healthchecks:read",
          "#http_applications:read",
          "#image:read",
          "#lb:read",
          "#legal:read",
          "#logs:read",
          "#magic:read",
          "#member:read",
          "#organization:read",
          "#ssl:read",
          "#stream:read",
          "#subscription:read",
          "#teams:read",
          "#waf:read",
          "#waitingroom:read",
          "#webhooks:read",
          "#worker:read",
          "#zaraz:read",
          "#zone:read",
          "#zone_settings:read",
          "#zone_versioning:read"
        ],
"permissions": [
          "#access:read",
          "#analytics:read",
          "#auditlogs:read",
          "#billing:read",
          "#blocks:read",
          "#dns_records:read",
          "#fbm:read",
          "#healthchecks:read",
          "#http_applications:read",
          "#image:read",
          "#lb:read",
          "#legal:read",
          "#logs:read",
          "#magic:read",
          "#member:read",
          "#organization:read",
          "#ssl:read",
          "#stream:read",
          "#subscription:read",
          "#teams:read",
          "#waf:read",
          "#waitingroom:read",
          "#webhooks:read",
          "#worker:read",
          "#zaraz:read",
          "#zone:read",
          "#zone_settings:read",
          "#zone_versioning:read"
        ],
and we're opted into these betas: 
"betas": [
      "api_tokens_beta",
      "zone_level_access_beta"
    ]
"betas": [
      "api_tokens_beta",
      "zone_level_access_beta"
    ]
I also have 
 "has_enterprise_zones": true, 
 "has_enterprise_zones": true,
active Yeah, seems like a permission thing. When I run dev with the other account ID where I have all the permissions, I don't get that error....
neenhouse (chris)
neenhouse (chris)17mo ago
Figured it out! You need a permission "Workers Script" set to "Edit" to use the development target. This was biting us because we have default read-only permission set for our organization. Is that expected behavior?
No description
Max (@rozenmd)
Max (@rozenmd)17mo ago
ah yep sorry I missed that, I haven't spoken to many of our users with that setup
neenhouse (chris)
neenhouse (chris)17mo ago
I wonder if there is a way to support this without requiring the edit permission? That would truly be zero config for the dev experience...
Max (@rozenmd)
Max (@rozenmd)17mo ago
in terms of what wrangler can do - we should probably add an explicit error if the Workers Script permission isn't Edit, maybe default you to wrangler dev --local each time you change code while wrangler dev is running, you're actually redeploying a new version on a preview Worker, hence the error
neenhouse (chris)
neenhouse (chris)17mo ago
Makes sense. Will use that guidance. FWIW- internally we're going to figure out a way to just grant that permission because the integrated preview environment from Dev is pretty sweet
Want results from more Discord servers?
Add your server
More Posts
Prisma in module workerAnyone have an example of using '@Prisma/client/edge' in a cloudflare module worker? I am getting: env variables get wiped out during deploying changes via cli (i.e. wrangler publish)I noticed that the env variables I have set up for the worker via the dashboard get deleted every tiAPI versioning on workersWhat's the most efficient way to add versioning to our workers API?Google Webmasters Authentication Nuked my settings. Help!I setup Cloudflare pages and everything was working correctly with a custom domain. I added my websProtobuf on workersAre there any code generators or libraries replacing `google-protobuf` that works on workers, i.e. tFailed: An internal error occurredWe have consistently been getting build errors on our Pages preview deployments. It doesn't give us DOs cannot store values as large as KVDOs cannot store values as large as KV. Limit of 128KiB per value vs 25MiB. DOs are also not replicaI/O error cloudflareSo this is because you're using the global scope (i.e, you're putting the request from one request i_redirect rules are ignored when using sveltekitHello, I've set up the `_redirects` file for my domain to redirect some old URLs to new ones when iMerging Two Workers TogetherNeed some help merging two worker scripts together. One is a redirect and another alters CSS. Both a