No matching permissions found (AUTH-5mWD2)
Good day.
I am trying to set a target for an action using the action v2beta endpoint but get this error "No matching permissions found (AUTH-5mWD2)"
I am using the self hosted version and running version v3.3.0
I am trying to call my internal api that is exposed to the internet just for my zitadel instance. The internal api will update the database after a user is created from the webhook.
I did confirm that the service user have the correct permission but still i get this error.
I tried using a PAT token and JWT token to get a access token.
What steps can i follow to troubleshoot further as i can call the "List executions functions" endpoint https://$CUSTOM-DOMAIN/v2beta/actions/executions/functions
16 Replies
Hi @jaaks__ I am currently facing action issues myself and I was wondering how you enabled the actions on your instance?
Hi i updated docker image tag to latest and did docker compose down -p project_name and docker pull the docker compose up -p
Also under default settings in the feature tab there is a action setting to set to enable
Good to know thanks, then I guess thats not the main problem on my end
I also tried using the normal actions but i get the below error when trying to send it externally doesn't matter what hostname or url i use.
13:16:41.531436732Z","took":31289161,"message":"action run failed: Post \"d16kwbhz1wg0000rpvpggouj6gyyyyyyb.oast.pro\": ID=ACTIO-N72d0 Message=host is denied Parent=(ID=ACTIO-4m9s2 Message=lookup failed Parent=(lookup : no such host))","logLevel":"error","instanceId":"301875957130592258"}"
I tried using http https and they failed with a tls error.
Please help.
hey @jaaks apologies for getting on it now, but @avondas is also in a similar situation, I will test these behasviours and get back to you.
hi @jaaks make sure the use making the request has
IAM_OWNER OR ORG_OWNER from can udnerstand, it shhould work
this user was in similar problem and it got solved https://discord.com/channels/927474939156643850/1382640586015641691Hi @Rajat i managed to get it to work and create a target and set execution. My problem is i still dont receive the repose at the webhook url.
Then using the old actions i get the host lookup failure but on the host the docker is running i can resolve the host
My initial problem was vir reverse nginx proxy not having http2 enables
enabled*
I am hooking into the method on the screenshot to call a webhook url once a user is created on the zitadel hosted login screen
can you share your actions too
That is the action and here is the target
and the action uses this target
hey @jaaks__ I think the problem exist elsewhere
Zitadel uses gRPC for invoking webhooks. Your reverse proxy must be configured with HTTP/2 cleartext (h2c) or TLS termination + HTTP/2 forwarding.
Standard HTTP/1 setups won't work
can you do a curl command and see if you can reach your endpoint?.
curl -v http://d16kwb/your-endpointI can definitely do a curl to the endpoint from the host my docker zitadel instance is running on and had done the curl command multiple times already. I can't run commands in the zitadel docker as nothing works(Think it is meant not to accept commands from docker) i tried docker exec -it docker_id nslookup/ping/cat/ls/bash/sh/bin/bash etc but nothing works
Below is my nginx config
server {
listen 80;
server_name domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name domain.com;
http2 on;
ssl_certificate /etc/ssl/domain/domain.pem;
ssl_certificate_key /etc/ssl/domain/domain.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:!DSS:!RC4'; # Strong ciphers
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
access_log /var/log/nginx/zitadel_https_access.log;
location / {
grpc_pass grpc://docker:port;
grpc_set_header Host $host;
grpc_set_header X-Real-IP $remote_addr;
grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
grpc_set_header X-Forwarded-Proto $scheme;
}
}
should my external api have http2 enabled?
@Rajat If i use the actions v1 in the ui and i set url without http or https i get the host lookup failure. if i specify http or https i get this error
tls: failed to verify certificate: x509: certificate signed by unknown authority
hi @jaaks__ I think its an expected behaviour https://discord.com/channels/927474939156643850/927866013545025566/1228996076091084881
Could be a potential bug/feature that you are hitting.
i created a relay docker and placed it in my zitadel docker network. I can call that endpoint without failure and it relays to my external api correctly
oh wow, glad it worked out. Lmk and I will close this
I don't think the actual problem is resolved and the url is being proxied through cloudflare to my self hosted instance. It would be nice to see if it is possible to make it work without the extra docker and maybe a guide to correctly configure it to work through cloudflare proxy.
You can close this but im sure someone in the future will have the same problem
hi @jaaks__ thanks and I will check it with my team. Thanks for the tip. BUT, we do have a detailed guide on setting up Zitadel with Cloudflare. Not sure if you have seen this 🙂 This may help, imo you can open a issue or raise a doc PR for troubleshooting tips. We always welcome new scenarios/possibilities.