nullsense•7d ago

Trouble adding IAMMember (aka Administrator)

Hi folks, I'm using a self-hosted instance of Zitadel v2.71.10. I am not able to upgrade to V3 or higher at this time. I am testing the IAMMember API with the following flow (wrapper functions):

    orgResp, err := zitadelClient.AddOrg("test-org-2")
    require.NoError(t, err)

    userResp, err := zitadelClient.CreateUser(orgResp.GetOrganizationId(), "user1@email.com", "user1", "user1", true)
    require.NoError(t, err)

    _, err = zitadelClient.AddIAMMember(orgResp.GetOrganizationId(), userResp.GetUserId(), []string{"ORG_OWNER"})
    require.NoError(t, err)

    orgResp, err := zitadelClient.AddOrg("test-org-2")
    require.NoError(t, err)

    userResp, err := zitadelClient.CreateUser(orgResp.GetOrganizationId(), "user1@email.com", "user1", "user1", true)
    require.NoError(t, err)

    _, err = zitadelClient.AddIAMMember(orgResp.GetOrganizationId(), userResp.GetUserId(), []string{"ORG_OWNER"})
    require.NoError(t, err)

This is what my AddIamMember function looks like:

zitadelClient.AdminService().AddIAMMember(ctx, &adminRequests.AddIAMMemberRequest{
            UserId: userId,
            Roles:  roles,
        })

zitadelClient.AdminService().AddIAMMember(ctx, &adminRequests.AddIAMMemberRequest{
            UserId: userId,
            Roles:  roles,
        })

I'm receiving the following error when attempting to give a user the ORG_OWNER role:

Received unexpected error:
                                rpc error: code = InvalidArgument desc = Member is invalid (INSTANCE-4m0fS)
                                failed to add IAM member with userId: 342200700094119945

Received unexpected error:
                                rpc error: code = InvalidArgument desc = Member is invalid (INSTANCE-4m0fS)
                                failed to add IAM member with userId: 342200700094119945

Which points to this line of source code, here.

func (c *Commands) AddInstanceMemberCommand(a *instance.Aggregate, userID string, roles ...string) preparation.Validation {
    return func() (preparation.CreateCommands, error) {
        if userID == "" {
            return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-SDSfs", "Errors.Invalid.Argument")
        }
        if len(domain.CheckForInvalidRoles(roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
            return nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-4m0fS", "Errors.IAM.MemberInvalid")
        }

func (c *Commands) AddInstanceMemberCommand(a *instance.Aggregate, userID string, roles ...string) preparation.Validation {
    return func() (preparation.CreateCommands, error) {
        if userID == "" {
            return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-SDSfs", "Errors.Invalid.Argument")
        }
        if len(domain.CheckForInvalidRoles(roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
            return nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-4m0fS", "Errors.IAM.MemberInvalid")
        }

I'm not clear why the role is invalid, or what can be changed to fix this. Is there anyone else that can give guidance?

3 Replies

Ask Inkeep•7d ago

Hi @Billy, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question. Answer I wasn't able to find a direct answer, here are some relevant sources: 1. Add IAM Member (1) : This shows the correct API endpoint for adding IAM members with valid roles like IAM_OWNER. 2. Add Organisation Member Docs references IAM_OWNER role despite not being valid (2) : This GitHub issue explains that IAM_OWNER roles are invalid for organization member endpoints and should use instance-level endpoints instead. To learn more, see the sources I considered: [1] Add IAM Member [2] Add Organisation Member Docs references IAM_OWNER role despite not being valid Feel free to tag @Ask Inkeep with additional questions. Got it. Tagging @Rajat for additional help.

nullsenseOP•7d ago

Nvm, ths is resolved -- was using the wrong API

Ask Inkeep•7d ago

Glad I could be helpful. Feel free to create a new thread with any new questions you may have.

Trouble adding IAMMember (aka Administrator)

Did you find this page helpful?