nullsenseN
ZITADEL3mo ago
nullsense

Trouble adding IAMMember (aka Administrator)

Hi folks,

I'm using a self-hosted instance of Zitadel v2.71.10. I am not able to upgrade to V3 or higher at this time.

I am testing the IAMMember API with the following flow (wrapper functions):
    orgResp, err := zitadelClient.AddOrg("test-org-2")
    require.NoError(t, err)

    userResp, err := zitadelClient.CreateUser(orgResp.GetOrganizationId(), "user1@email.com", "user1", "user1", true)
    require.NoError(t, err)

    _, err = zitadelClient.AddIAMMember(orgResp.GetOrganizationId(), userResp.GetUserId(), []string{"ORG_OWNER"})
    require.NoError(t, err)


This is what my AddIamMember function looks like:
zitadelClient.AdminService().AddIAMMember(ctx, &adminRequests.AddIAMMemberRequest{
            UserId: userId,
            Roles:  roles,
        })


I'm receiving the following error when attempting to give a user the ORG_OWNER role:

Received unexpected error:
                                rpc error: code = InvalidArgument desc = Member is invalid (INSTANCE-4m0fS)
                                failed to add IAM member with userId: 342200700094119945


Which points to this line of source code, here.

func (c *Commands) AddInstanceMemberCommand(a *instance.Aggregate, userID string, roles ...string) preparation.Validation {
    return func() (preparation.CreateCommands, error) {
        if userID == "" {
            return nil, zerrors.ThrowInvalidArgument(nil, "INSTA-SDSfs", "Errors.Invalid.Argument")
        }
        if len(domain.CheckForInvalidRoles(roles, domain.IAMRolePrefix, c.zitadelRoles)) > 0 {
            return nil, zerrors.ThrowInvalidArgument(nil, "INSTANCE-4m0fS", "Errors.IAM.MemberInvalid")
        }


I'm not clear why the role is invalid, or what can be changed to fix this. Is there anyone else that can give guidance?
Was this page helpful?