Coder.com•2w ago

coder_agent.main.token is not valid in windows workspace

Hey guys, I'm working on setting up coder with GitLab external-auth on a windows workspace, provisioned via Azure. After a lot of reading, I've found that I need to pipe in CODER_AGENT_TOKEN and CODER_AGENT_URL so I can have the my GIT_ASKPASS script dyamically fetch the token for GitLab - I've done that as follows in my tf file:

...
resource "coder_agent" "main" {
  arch          = "amd64"
  auth          = "azure-instance-identity"
  os            = "windows"
  api_key_scope = "all"
}

resource "azurerm_windows_virtual_machine" "main" {
  ...
  custom_data = base64encode(
    templatefile("${path.module}/Initialize.ps1.tftpl", {
      ...
      coder_agent_token         = coder_agent.main.token
      coder_agent_url           = data.coder_workspace.me.access_url
    })
  )
...

...
resource "coder_agent" "main" {
  arch          = "amd64"
  auth          = "azure-instance-identity"
  os            = "windows"
  api_key_scope = "all"
}

resource "azurerm_windows_virtual_machine" "main" {
  ...
  custom_data = base64encode(
    templatefile("${path.module}/Initialize.ps1.tftpl", {
      ...
      coder_agent_token         = coder_agent.main.token
      coder_agent_url           = data.coder_workspace.me.access_url
    })
  )
...

And then inside of Initialize.ps1.tftpl:

...
[System.Environment]::SetEnvironmentVariable("CODER_AGENT_TOKEN", "${coder_agent_token}", "User")
[System.Environment]::SetEnvironmentVariable("CODER_AGENT_URL", "${coder_agent_url}", "User")
# I also tried setting the above at "Machine" scope, results the same as desribed below

...
[System.Environment]::SetEnvironmentVariable("CODER_AGENT_TOKEN", "${coder_agent_token}", "User")
[System.Environment]::SetEnvironmentVariable("CODER_AGENT_URL", "${coder_agent_url}", "User")
# I also tried setting the above at "Machine" scope, results the same as desribed below

When I RDP into my workspace, I can run Get-ChildItem Env: and see that both of those variables are in fact set. However, when I run coder external-auth access-token gitlab, I hit the following error:

Encountered an error running "coder external-auth access-token", see "coder external-auth access-token --help" for more information
error: Trace=[get external auth token: ]
Workspace agent not authorized.

Encountered an error running "coder external-auth access-token", see "coder external-auth access-token --help" for more information
error: Trace=[get external auth token: ]
Workspace agent not authorized.

It seems that the value of coder_agent.main.token is not valid for whatever reason. If you have any pointers as to why that might be, I'd be super grateful. Thank you so much!

8 Replies

Codercord•2w ago

<#1406392819349848175>

Category

Help needed

Product

Coder (v2)

Platform

Linux

Logs

Please post any relevant logs/error messages.

matifali•6d ago

are you using data "coder_external_auth" "gitlab" in your template? You need that in template and then authentciate with gitlab to use the external-auth command

TomOP•6d ago

Yup, I do:

data "coder_external_auth" "gitlab" {
  id       = "gitlab"
}

data "coder_external_auth" "gitlab" {
  id       = "gitlab"
}

Phorcys•4d ago

@Tom how are you logging in to the Coder CLI?

TomOP•3d ago

I wasn't sure you had to be (I thought external auth might not need it), but I tried using coder_login just to rule it out, and it didn't seem to work at all on windows So I instead ended up running coder login --token="${CODER_USER_TOKEN}" --url="${CODER_DEPLOYMENT_URL}" on startup which led to coder whoami returning my user. I piped the user token and deployment URL in through the TF template:

resource "coder_script" "coder-login" {
  agent_id = resource.coder_agent.main.id
  script = templatefile("${path.module}/CoderLogin.ps1.tftpl", {
    CODER_USER_TOKEN : data.coder_workspace_owner.me.session_token,
    CODER_DEPLOYMENT_URL : data.coder_workspace.me.access_url
  })
  display_name       = "Coder Login"
  icon               = "/icon/coder.svg"
  run_on_start       = true
  start_blocks_login = true
}

resource "coder_script" "coder-login" {
  agent_id = resource.coder_agent.main.id
  script = templatefile("${path.module}/CoderLogin.ps1.tftpl", {
    CODER_USER_TOKEN : data.coder_workspace_owner.me.session_token,
    CODER_DEPLOYMENT_URL : data.coder_workspace.me.access_url
  })
  display_name       = "Coder Login"
  icon               = "/icon/coder.svg"
  run_on_start       = true
  start_blocks_login = true
}

After doing all that, the result of coder external-auth access-token gitlab was still the same as before I did it 😥

Phorcys•3d ago

can you run coder whoami?

TomOP•3d ago

Yeah, it returns my user

Gaming

Programming

coder_agent.main.token is not valid in windows workspace

Did you find this page helpful?