1347282 - One-Click loaner gives me "Insufficient Scopes Error!"

Status: RESOLVED FIXED

(Taskcluster :: Operations and Service Requests, task)

Description

[Michael Froman [:mjf]]

This is from try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ab190d5d9a8385266830a8c0226aeb6b5243c2f0&selectedJob=83495455
Then I selected one of the successful linux jobs, clicked "One Click Loaner" under "Job Details".  After logging into the presented taskcluster page with my Mozilla ldap creds and clicking "One-Click Loaner", I get this:
Insufficient Scopes Error! 

You do not have sufficient scopes. This request requires you to have one of the following sets of scopes: [ [ "queue:create-task:aws-provisioner-v1/gecko-1-b-macosx64" ], [ "queue:define-task:aws-provisioner-v1/gecko-1-b-macosx64", "queue:task-group-id:-/WnNt0ctkTbqVKCusZPe0-g", "queue:schedule-task:-/WnNt0ctkTbqVKCusZPe0-g/WnNt0ctkTbqVKCusZPe0-g" ] ]

You only have the scopes: [ "assume:hook-id:garbage/", "assume:mozilla-group:IntranetWiki", "assume:mozilla-group:StatsDashboard", "assume:mozilla-group:all-moco-mofo@mozilla.com", "assume:mozilla-group:all-moco@mozilla.com", "assume:mozilla-group:corp-employees@mozilla.com", "assume:mozilla-group:corp-vpn", "assume:mozilla-group:irccloud", "assume:mozilla-group:irccloud-users@mozilla.com", "assume:mozilla-group:mreavy-directs@mozilla.com", "assume:mozilla-group:okta_mfa", "assume:mozilla-group:phonebook_access", "assume:mozilla-group:team_moco", "assume:mozilla-group:us-corp-employees@mozilla.com", "assume:mozilla-group:vpn_corp", "assume:mozilla-group:vpn_default", "assume:mozilla-user:mfroman@mozilla.com", "assume:project:taskcluster:tutorial", "assume:worker-id:", "auth:create-client:mozilla-ldap/mfroman@mozilla.com/", "auth:create-role:hook-id:garbage/", "auth:delete-client:mozilla-ldap/mfroman@mozilla.com/", "auth:delete-role:hook-id:garbage/", "auth:reset-access-token:mozilla-ldap/mfroman@mozilla.com/", "auth:update-client:mozilla-ldap/mfroman@mozilla.com/", "auth:update-role:hook-id:garbage/", "hooks:modify-hook:garbage/", "hooks:trigger-hook:garbage/", "queue:create-task:aws-provisioner-v1/b2gtest", "queue:create-task:aws-provisioner-v1/tutorial", "queue:get-artifact:private/", "queue:rerun-task", "queue:resolve-task", "scheduler:create-task-graph", "scheduler:extend-task-graph", "secrets:get:garbage/", "secrets:set:garbage/" ]

In other words you are missing scopes from one of the options:

    Option 0:
        "queue:create-task:aws-provisioner-v1/gecko-1-b-macosx64"
    Option 1:
        "queue:define-task:aws-provisioner-v1/gecko-1-b-macosx64", and
        "queue:task-group-id:-/WnNt0ctkTbqVKCusZPe0-g", and
        "queue:schedule-task:-/WnNt0ctkTbqVKCusZPe0-g/WnNt0ctkTbqVKCusZPe0-g"

Comment 1

[Greg Arndt [:garndt]]

Are the credentials used to log into treeherder also tied to the credentials that you use to push to try?  It appears that some of the groups that are added when you have scm level 1 access (try) are not added to the list of scopes you have here.

Comment 2

[Michael Froman [:mjf]]

Ooh - very possible that is the problem, because I didn't get level 1 access with my Moz email.  Let me retry with my treeherder login.

Comment 3

[Michael Froman [:mjf]]

Waiting on a greylisting issue to be resolved with my email host.  At the moment, by the time I get the email with the code to login to taskcluster the code is no longer valid.  Hoping to get this resolved later tonight.  Sorry for the delay!

Comment 4

[Dustin J. Mitchell [:dustin] (he/him)]

You need to login with Okta, not with email, to get sensitive access like this.  The account you use to push to hg will work fine with Okta (it's not limited to @mozilla.com addresses).

Comment 5

[Michael Froman [:mjf]]

Dustin - thank you for that tip!  I would never have thought of crossing those 2 streams. ;-)

Greg, Dustin - I was able to login and see the display and shell pages for a linux test.  Thank you.

Comment 6

[Dustin J. Mitchell [:dustin] (he/him)]

This will become clearer when we switch to using Auth0.  Sorry for the confusion!