update-password failed unable to extract token claims

[pikomen]

Describe the bug

error on update-password with argocd cli tool

argocd account get --account qa
Name:               qa
Enabled:            true
Capabilities:       apiKey, login

Tokens:
NONE

argocd account update-password --account qa --current-password ADMIN_PASS --new-password NEW_PASS
ERRO[0000] finished unary call with code Unknown         error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2022-05-03T17:07:55+03:00" grpc.time_ms=0.069 span.kind=server system=grpc
FATA[0000] rpc error: code = Unknown desc = unable to extract token claims

Related helm chart

argo-cd

To Reproduce

argo-cd-4.5.8 k8s v1.21.3

  config:
  # Argo CD's externally facing base URL (optional). Required when configuring SSO
    accounts.qa: apiKey, login
    accounts.dev: apiKey, login
    accounts.qa.enabled: "true"
    accounts.dev.enabled: "false"

Expected behavior

change password for new user created by config

Screenshots

No response

Additional context

No response

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[theilgaard]

This is still present when using argocd cli and --core.

argocd@argocd-server-75f759c8c6-745kt:~$ argocd account update-password --account api_user --core
*** Enter new password for user api_user: 
*** Confirm new password for user api_user: 
ERRO[0002] finished unary call with code Unknown         error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2022-08-25T14:12:44Z" grpc.time_ms=0.068 span.kind=server system=grpc
FATA[0002] rpc error: code = Unknown desc = unable to extract token claims 

[acoyiu]

This is still present when using argocd cli and --core.

argocd@argocd-server-75f759c8c6-745kt:~$ argocd account update-password --account api_user --core
*** Enter new password for user api_user: 
*** Confirm new password for user api_user: 
ERRO[0002] finished unary call with code Unknown         error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2022-08-25T14:12:44Z" grpc.time_ms=0.068 span.kind=server system=grpc
FATA[0002] rpc error: code = Unknown desc = unable to extract token claims 

Same situation here, does any have idea how to fix?

[giepa]

Same for me

[xiaoweihong]

same

[IvanaDohop]

Same here. How can we take this forward, should we reopen this issue or should someone create a new one?

[Joao-1]

~$ argocd account update-password --account dev --new-password <>     
ERRO[0003] finished unary call with code Unknown         error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2023-05-15T16:45:39-03:00" grpc.time_ms=0.045 span.kind=server system=grpc
FATA[0003] rpc error: code = Unknown desc = unable to extract token claims

Same here.

[ralf-berger]

Same. But creating a token for an apiKey account works.

[saracm93]

I found a workaround by executing the request inside of the argocd-server pod: kubectl exec -it -n argocd argocd-server-77d7885dcc-qcxpt bash argocd login --username admin --password argocd-server argocd account update-password --account qa --new-password <Password>

I hope this may help someone.

[sieczak-a]

Same here. Image argocd:v2.5.4.

I can create user, but could not change password

argocd account update-password --account alice --current-password 'MY_ADMIN_PASS' --new-password  mysecurepass
ERRO[0000] finished unary call with code Unknown         error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2023-06-06T10:28:37Z" grpc.time_ms=0.061 span.kind=server system=grpc
FATA[0000] rpc error: code = Unknown desc = unable to extract token claims

[jerguslejko]

same here 😢

[CryptoTr4der]

Same here!

[rishikanthc]

Facing the same on argocd:v2.8.2

[rishikanthc]

I was able to resolve this by changing the connection protocol for login. I used the steps below:

Login with argocd login <hostname> --username admin --grpc-web-root-path / Check access by listing all users argocd account list

I was then able to update my password with argocd account update-password --account <new-username> --new-password <new-password>

Hope this helps someone else !

[rshiva777]

We can do login to argocd using admin user, and the change password for a local user as below:

kubectl  exec -it -n argocd argocd-server-56788cb95f-s2hd9  bash
argocd login localhost:8080 --insecure
Username: admin
Password: 
'admin:login' logged in successfully
Context 'localhost:8080' updated

The issue is, when we are into kubernetes cluster context, and logged into argocd using core login as below, getting an errror

argocd login --core
Context 'kubernetes' updated

argocd account update-password --account ro-user --new-password  ro-test@123
ERRO[0001] finished unary call with code Unknown         error="unable to extract token claims" grpc.code=Unknown grpc.method=UpdatePassword grpc.service=account.AccountService grpc.start_time="2023-12-20T07:47:58Z" grpc.time_ms=0.042 span.kind=server system=grpc
FATA[0001] rpc error: code = Unknown desc = unable to extract token claims 

so, how can we update password using the core login ? any leads would be helpful

[qmn1711]

I have encountered the same problem. It turns out you need login first in order to update password

argocd login <ARGOCD_SERVER>

# Then
argocd account update-password

[leoluz]

The error message "unable to extract token claims" is related with the currently logged in user, in this case, the admin. The API server will try to extract the claims from the token to proceed with the authorization. This error will be raised when there are no claims available.

There are a few possibilities that could cause this issue:

• The user is not logged in on argocd CLI: as noted by @qmn1711 above you must first login in argocd CLI. Make sure that you are using the desired Argo CD instance. If you are managing multiple Argo CDs it could be confusing to know which API server your argocd CLI commands will be targeting. Use the argocd context command to make sure that you are issuing commands to the correct server. If that is correct and you are still facing the issue, check your local config file where Argo CD CLI stores the token. Maybe it got corrupted along the way. You can rename the local config file (to keep it as a backup) and start fresh. The file is located in ~/.config/argocd/config.

• The user is running Argo CD in core mode (--core): The main point of Argo CD Core is running just the main controller functionality relying on Kubernetes RBAC model. The documentation describes that it runs with limited functionality. If you want to get a better understanding about Argo CD Core, Alex and I presented this talk at KubeCon Amsterdam providing more details about it.

• Argo CD API server is running with authentication disabled: Changing user's password is a functionality that requires that Argo CD is running with authentication enabled. In the API server configs, make sure that the ARGOCD_SERVER_DISABLE_AUTH env var is NOT set to true and it isn't running with --disable-auth flag.