Service Accounts: failed to DecodeSACCredentials: failed to DeserializeServiceAccountAuthToken

Options
seminal
seminal
Community Member
in CLI

Hello, I'm trying to connect Bitrise with 1Password via a service account. I have set my OP_SERVICE_ACCOUNT_TOKEN environment variable to my service account token. But I get the following error:

Configuring env...
[ERROR] 2023/08/09 16:23:23 failed to DecodeSACCredentials: failed to DeserializeServiceAccountAuthToken, unrecognized auth type
[ERROR] 2023/08/09 16:23:23 error initializing client: Validation: (failed to session.DecodeSACredentials), Server: (failed to DecodeSACCredentials), failed to DeserializeServiceAccountAuthToken, unrecognized auth type

What would be the auth type and do I need to set it somewhere? Thanks

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser: Not Provided

Comments

  • ArunV1P
    ArunV1P
    Options

    Hi @seminal, that's an indicator that the Service Account token being used is not valid. Could you ensure that you have the token being used is latest/not revoked?

    Best,
    Arun

  • SleepingBearSystems
    SleepingBearSystems
    Community Member
    edited September 2023
    Options

    I had this same problem because I accidently used the Connect server access token instead of the service account token. Go to the Integration settings, click the Directory tab, and then click the Other button to get to where you actually create a service account.

  • lbljeffmo
    lbljeffmo
    Community Member
    edited December 2023
    Options

    I am also having this issue, but neither OP_CONNECT_TOKEN nor OP_CONNECT_HOST are set and I've also tried rotating the token several times (using the new one each time), still getting the same error...

    What's the best way to debug this? I tried the --debug flag but didn't get much other information:

    $ if [ -z "${OP_CONNECT_TOKEN}" ]; then echo "OP_CONNECT_TOKEN is unset."; else echo "OP_CONNECT_TOKEN is set."; fi
OP_CONNECT_TOKEN is unset.
$ if [ -z "${OP_CONNECT_HOST}" ]; then echo "OP_CONNECT_HOST is unset."; else echo "OP_CONNECT_HOST is set."; fi
OP_CONNECT_HOST is unset.
$ echo $OP_SERVICE_ACCOUNT_TOKEN|wc -c
861
$ op user get --me
[ERROR] 2023/12/30 17:21:52 failed to DecodeSACredentials: failed to DeserializeServiceAccountAuthToken, unrecognized auth type
$ op --debug user get --me
5:21PM | DEBUG | Skipped loading desktop app settings file. The desktop app might not be installed: read file: lstat /root/.config/1Password/settings/settings.json: no such file or directory
[ERROR] 2023/12/30 17:21:58 failed to DecodeSACredentials: failed to DeserializeServiceAccountAuthToken, unrecognized auth type

    (As you can see from the debug message I'm trying this as root, but I also tried it as non-root just to make sure this wasn't the issue and I saw the same behavior...)

  • lbljeffmo
    lbljeffmo
    Community Member
    Options

    Ok apparently my bash-fu wasn't so strong.. Here's what I was doing wrong:

    In order to populate the OP_SERVICE_ACCOUNT_TOKEN variable, I had stored the service token in a file (marked rw only for the user to keep it secret) and then I was running export OP_SERVICE_ACCOUNT_TOKEN=$(cat .service-account-token).

    The problem with this is that cat seems to have been spitting out ^[[0m escape sequences at the beginning and the end of its output...and those are bytes that throw off op!

    To fix this, I just changed my export statement to export OP_SERVICE_ACCOUNT_TOKEN=$(<.service-account-token) and everything seems to be golden now.