Hey there Adam,
Here is a very topical [Content removed] that’s ongoing at the moment with some more details around UE_HORDE_TOKEN. So the token that is stored within there *should* be minted JIT, and issued through the JobDriver to the UAT job. I’ve outlined that process in the referenced thread.
What’s important to note about the token that’s minted (and stored in UE_HORDE_TOKEN) is the following claims it’s attached:
// Create a bearer token for the job executor List<AclClaimConfig> claims = new List<AclClaimConfig>(); claims.Add(HordeClaims.AgentRoleClaim); claims.Add(new AclClaimConfig(HordeClaimTypes.Lease, leaseId.ToString())); claims.Add(new AclClaimConfig(HordeClaimTypes.LeaseStream, streamConfig.Id.ToString())); claims.Add(new AclClaimConfig(HordeClaimTypes.LeaseProject, streamConfig.ProjectConfig.Id.ToString())); claims.Add(new AclClaimConfig(HordeClaimTypes.LeaseTemplate, job.TemplateId.ToString())); claims.AddRange(job.Claims.ConvertAll(x => new AclClaimConfig(x.Type, x.Value)));Source: JobTaskSource
A couple of ideas here in how to tune the ACL as ended up having to do something similar for a different UGS workflow issue:
- Attach a debugger to the server (AgentsController) route: “api/v1/agents”
- Run your scheduled job
- Catch - in debugger, and inspect the User, and importantly the claims
- This is where I suspect the above code reference to be relevant here; I wonder if the token that’s being used doesn’t have applicable claims for the specific task to be explicitly called.
- Catch - in debugger, and inspect the User, and importantly the claims
Now in researching this other issue, I came across a bug fix that the great [mention removed] recently made that *could* be related here - although this is more along the lines of local user context initiating the UBT build in an auth context. It still doesn’t explain the fact that your CI invoked job is failing to pass auth, as for me it was the inverse issue that I observed. That being said we will probably get some insights from the debugger.
I haven’t had an opportunity yet to try and reproduce the above scripts just yet, but my debugging approach would be as above (and mileage may vary). Is this in AuthMethod as Horde? Furthermore, I may have missed a relevant detail from above: when you’re referring to globals credentials - this segment? If so, this will be perforce user which wouldn’t be what you’re running as locally.
Let me know how things fare - and I’m happy to keep chipping away till we get this. I’m planning on coalescing all these notes together for a public article, as Auth can be a bit challenging to get working in some of these flows.
Kind regards,
Julian