One-Click loaner gives me "Insufficient Scopes Error!"

RESOLVED FIXED

Status

Taskcluster
Service Request
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: mjf, Assigned: garndt)

Tracking

Details

(Reporter)

Description

a year ago
This is from try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=ab190d5d9a8385266830a8c0226aeb6b5243c2f0&selectedJob=83495455
Then I selected one of the successful linux jobs, clicked "One Click Loaner" under "Job Details".  After logging into the presented taskcluster page with my Mozilla ldap creds and clicking "One-Click Loaner", I get this:
Insufficient Scopes Error! 

You do not have sufficient scopes. This request requires you to have one of the following sets of scopes: [ [ "queue:create-task:aws-provisioner-v1/gecko-1-b-macosx64" ], [ "queue:define-task:aws-provisioner-v1/gecko-1-b-macosx64", "queue:task-group-id:-/WnNt0ctkTbqVKCusZPe0-g", "queue:schedule-task:-/WnNt0ctkTbqVKCusZPe0-g/WnNt0ctkTbqVKCusZPe0-g" ] ]

You only have the scopes: [ "assume:hook-id:garbage/", "assume:mozilla-group:IntranetWiki", "assume:mozilla-group:StatsDashboard", "assume:mozilla-group:all-moco-mofo@mozilla.com", "assume:mozilla-group:all-moco@mozilla.com", "assume:mozilla-group:corp-employees@mozilla.com", "assume:mozilla-group:corp-vpn", "assume:mozilla-group:irccloud", "assume:mozilla-group:irccloud-users@mozilla.com", "assume:mozilla-group:mreavy-directs@mozilla.com", "assume:mozilla-group:okta_mfa", "assume:mozilla-group:phonebook_access", "assume:mozilla-group:team_moco", "assume:mozilla-group:us-corp-employees@mozilla.com", "assume:mozilla-group:vpn_corp", "assume:mozilla-group:vpn_default", "assume:mozilla-user:mfroman@mozilla.com", "assume:project:taskcluster:tutorial", "assume:worker-id:", "auth:create-client:mozilla-ldap/mfroman@mozilla.com/", "auth:create-role:hook-id:garbage/", "auth:delete-client:mozilla-ldap/mfroman@mozilla.com/", "auth:delete-role:hook-id:garbage/", "auth:reset-access-token:mozilla-ldap/mfroman@mozilla.com/", "auth:update-client:mozilla-ldap/mfroman@mozilla.com/", "auth:update-role:hook-id:garbage/", "hooks:modify-hook:garbage/", "hooks:trigger-hook:garbage/", "queue:create-task:aws-provisioner-v1/b2gtest", "queue:create-task:aws-provisioner-v1/tutorial", "queue:get-artifact:private/", "queue:rerun-task", "queue:resolve-task", "scheduler:create-task-graph", "scheduler:extend-task-graph", "secrets:get:garbage/", "secrets:set:garbage/" ]

In other words you are missing scopes from one of the options:

    Option 0:
        "queue:create-task:aws-provisioner-v1/gecko-1-b-macosx64"
    Option 1:
        "queue:define-task:aws-provisioner-v1/gecko-1-b-macosx64", and
        "queue:task-group-id:-/WnNt0ctkTbqVKCusZPe0-g", and
        "queue:schedule-task:-/WnNt0ctkTbqVKCusZPe0-g/WnNt0ctkTbqVKCusZPe0-g"
(Assignee)

Comment 1

a year ago
Are the credentials used to log into treeherder also tied to the credentials that you use to push to try?  It appears that some of the groups that are added when you have scm level 1 access (try) are not added to the list of scopes you have here.
(Assignee)

Updated

a year ago
Assignee: nobody → garndt
Status: NEW → ASSIGNED
(Reporter)

Comment 2

a year ago
Ooh - very possible that is the problem, because I didn't get level 1 access with my Moz email.  Let me retry with my treeherder login.
(Reporter)

Comment 3

a year ago
Waiting on a greylisting issue to be resolved with my email host.  At the moment, by the time I get the email with the code to login to taskcluster the code is no longer valid.  Hoping to get this resolved later tonight.  Sorry for the delay!
You need to login with Okta, not with email, to get sensitive access like this.  The account you use to push to hg will work fine with Okta (it's not limited to @mozilla.com addresses).
(Reporter)

Comment 5

a year ago
Dustin - thank you for that tip!  I would never have thought of crossing those 2 streams. ;-)

Greg, Dustin - I was able to login and see the display and shell pages for a linux test.  Thank you.
(Assignee)

Updated

a year ago
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
This will become clearer when we switch to using Auth0.  Sorry for the confusion!
You need to log in before you can comment on or make changes to this bug.