I broke my Zitadel Console Access
In Zitadel Console, I disallowed login via username + password (only IDP login is visible now).. but now I can't log into the main admin root account, because that requires username + password lol. What options do I have?
I self-host on kubernetes btw.
14 Replies
Hi @Aldraz, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
If you've disabled username/password login and now can't access your admin account because it requires that method, the recommended steps are:
1. Check if another instance admin (who still has access) can unlock or re-enable local authentication for your account.
2. If all admins are locked out because only external IDP logins are enabled and the IDP is unavailable, it's recommended to always keep local authentication enabled as a fallback.
3. If you cannot regain access, you will need to contact ZITADEL support to request an account unlock. This process requires multiple verification steps for security reasons (1) .
You can find more details in this guide: Instance admin account locked out .
ā
To learn more, see the sources I considered:
[1] Instance admin account locked out
ā
Feel free to tag @Ask Inkeep with additional questions.
Got it. Tagging @Rajat for additional help.
I was thinking I could probably change the default settings in the helm values file and it would re-enable username + password login, but I was hoping that users could only see the IDP login, which now doesn't seem to be an option, since I will be locked out from console.
hey @Aldraz if you have api access, you can reset login settings
but that won't allow me to disallow username + passwords for users only, right? so the only option is to have it be enabled?
isn't there a way to log into the zitadel console via API somehow? but like directly gain the UI of zitadel console?
I am not sure if I understood it correctly.
The Zitadel Console is a web-based dashboard that requires authentication via the user interface, and its APIs are designed for programmatic management of resources, not for rendering or automating the Console UI itself.
Yes, but you use this dashboard to see and control everything nicely, I don't want to be using only APIs, just to be able to hide the single feature from the users. I just wanted social logins (Google, Github) to be displayed.. that's all, but if that means I can't ever log into Zitadel Console ever again.. I will have to redo this.. I thought Zitadel can do these basics.
There is a chance I have disabled Organization Logins though, which maybe is causing this.
you can update the login settings. We have all these Login Settings that you can play around with.
Hope this helps
No, this doesn't help at all. I know I can update the login settings.
I am just saying that if allowUsernamePassword is false.. then I can't log into zitadel console.
there should be a way to login via IDP or any other login methods for sure. I can dig more into it tomorrow
I only have passwordless on my account too š I never enter email/password
Well I can create a new account, give it all permissions.. and set it up as idp maybe.. that could work I guess..
Or maybe somehow convert the root account to IDP account?
do you have other login methods on that org?. If yes, you can still do it. Provided you have IDP setup for that user
No I didn't š but that's alright.. I can redo the whole thing again if necessary
I have to go, but I will look into it tomorrow if you are still stuck, no problem š
No actually you gave me the idea to just make it IDP account.. I haven't thought of that for some reason, thanks š
I always think of root account as something special