cli
cli copied to clipboard
forcedotcom
force:org:create: Error authenticating with JWT config due to: user hasn't approved this consumer
We have a cicd pipeline with a cicd admin user that is used to perform all cli actions like deploying code and creating sandboxes (and removing unnessecary production data). Since a short while somehow the script for creating the sandbox stops at exactly 95% with the error:
Error authenticating with JWT config due to: user hasn't approved this consumer:
This cicd user logs in to production a couple of times a day and this used to work flawlessly. When I log into the sandbox with that user it also works, only in the running job for creating the sandbox it doesn't. The sandbox is created but our script fails and because of the failure the next step to delete production data and load testdata fails as well. Weird thing is, afterwards, when the sandbox is fully created, we can rerun that second step and it logs in fine with the same user.
Command used: sfdx force:org:create -t sandbox sandboxName=SFDCTEST -u [email protected] -a SFDCTEST -w 300 -f 'C:\agent_work\3/tools/tooling/sandbox/feature-sandbox-template.json'
SFDX version: 7.157.0
Because it fails, but then works a bit later, this may be a replication issue (salesforce asynchronously copying things to your new org or the login servers from your parent org).
I'd suggest two things
- try
force:org:beta:createwhich uses newer code. There have been some recent changes in domain logic for sandboxes https://github.com/forcedotcom/cli/issues/1556 https://github.com/forcedotcom/cli/issues/1603 that may not be accounted for in the older command. We're planning to make this command the "norm" soon anyway so if this isn't working right there, too, we'd love to know. - try the new
sf env create sandboxwhich is a much nicer version. It uses the same logic as option 1, but has better UI and a matchingresumecommand when it fails, which you could script to work around this issue if it really is a replication issue that the CLI can't fix.
@mshanemc I only see three sf env commands, do i need to install a beta version of sfdx?
@Dane1986 Not sure which version of sf you have.
npm install @salesforce/cli -g
sf --version
@salesforce/cli/1.38.0 darwin-x64 node-v16.13.1
sf env create sandbox -h
This command is in beta.
Create a sandbox org.
USAGE
$ sf env create sandbox [--json] [-f <value> | -n <value> | -l Developer|Developer_Pro|Partial|Full] [-s] [-a <value>] [-w <value> | --async] [-i <value> | ] [-c <value> | ] [-o <value>]
[--no-prompt] [--no-track-source]
FLAGS
-a, --alias=<value> Alias for the sandbox org.
-c, --clone=<value> Name of the sandbox org to clone.
-f, --definition-file=<value> Path to a sandbox definition file.
-i, --poll-interval=<seconds> [default: 30 seconds] Number of seconds to wait between retries.
-l, --license-type=(Developer|Developer_Pro|Partial|Full) [default: Developer] Type of sandbox license.
-n, --name=<value> Name of the sandbox org.
-o, --target-org=<value> Username or alias of the production org that contains the sandbox license.
-s, --set-default Set the sandbox org as your default org.
-w, --wait=<minutes> [default: 30 minutes] Number of minutes to wait for the sandbox org to be ready.
--async Request the sandbox creation, but don't wait for it to complete.
--no-prompt Don't prompt for confirmation about the sandbox configuration.
--no-track-source Do not use source tracking for this sandbox.
GLOBAL FLAGS
--json Format output as json.
sf env resume sandbox -h
This command is in beta.
Check the status of a sandbox creation, and log in to it if it's ready.
USAGE
$ sf env resume sandbox [--json] [-w <value>] [-n <value> | -i <value>] [-l] [-o <value>]
FLAGS
-i, --job-id=<value> Job ID of the incomplete sandbox creation that you want to check the status of.
-l, --use-most-recent Use the most recent sandbox create request.
-n, --name=<value> Name of the sandbox org.
-o, --target-org=<value> Username or alias of the production org that contains the sandbox license.
-w, --wait=<minutes> Number of minutes to wait for the sandbox org to be ready.
GLOBAL FLAGS
--json Format output as json.
Hi,
The problem was that sfdx cli was up to date, however salesforce-cli was new to me. It's updated now. Thanks
So, implemented the sf env create sandbox command with async processing and a task in azure to do the polling with env resume, however it's not stable. I get a lot of connection resets. So we'll have to wait for that option until it's more stable. Only option left then is the org:beta command
Connection resets seem to disappear when using the domain name of the sandbox in the url. Looks like the sf cli is the way to go. Bit unstable still, but i worked around it in the script by adding retries
@mshanemc force:org:beta:create does not appear to improve this issue, so I think this should be reopened. sfdx should be responsible for making deterministic commands.
I'm trying to auth with a newly created scratch org, and it fails randomly. I try to log in 3 times before failing the build. I'm getting the same error after calling sfdx force:org:beta:create... then sfdx force:auth:jwt:grant... with the scratch org username. I don't know if it's from using beta, but I got a different error message the first time:
ERROR running auth:jwt:grant: We encountered a JSON web token error, which is likely not an issue with Salesforce CLI. Here’s the error: Error authenticating with JWT.
Errors encountered:
user hasn't approved this consumer
user hasn't approved this consumer
audience is invalid [audience=**************************** login=***************************/]
(The audience error was new this time)
And the next error was the one I had seen before:
Attempt 2 to authorize [email protected] with scratch org...
ERROR running auth:jwt:grant: We encountered a JSON web token error, which is likely not an issue with Salesforce CLI. Here’s the error: Error authenticating with JWT.
Errors encountered:
user hasn't approved this consumer
user hasn't approved this consumer
user hasn't approved this consumer
To authorize the newly created scratch org (which uses org shape from production), I'm running
sfdx force:auth:jwt:grant --clientid "$PRODUCTION_INTEGRATION_CONSUMER_KEY" --jwtkeyfile "$PRODUCTION_KEYFILE" --username "$orgUserName" --instanceurl https://test.salesforce.com
As this fails randomly I don't suspect it's an issue with the keys themselves.
@AndrewRayCode the root of this is asynchronous replication from the newly created org to the "generic" login servers at https://test.salesforce.com
I hypothesize you'll have better luck using the instanceurl of the new scratch org, which should be available in the org:create output. That goes directly to the new org, instead of through test.salesforce.com so as long as its DNS is ready you should be able to hit it.
I have seen that shape/template/snapshot-based scratch orgs can take longer to be "ready", similar to how this issue had problems with sandboxes.
Aside from that, I'd encourage you to use the newer sf env create scratch. We may end up having to put some additional retry logic but the error for "jwt isn't ready yet" is the same as "wrong clientid" so you'd be retrying actual errors, too.