Skip to main content
Knowledge Base

Issue with Github oAuth token to install Gruntwork modules for API with Packer

Answer

It's been a while since I've created a new AMI with Packer and I'm having an issue. My packer code has not changed, so that shouldn't be the issue. The issue that I'm having is: ```bash ==> amazon-ebs.ubuntu: 2024-10-09 21:41:05 [INFO] [gruntwork-install] Installing from bash-commons... ==> amazon-ebs.ubuntu: 2024-10-09 21:41:05 [INFO] [gruntwork-install] Downloading module bash-commons from https://github.com/gruntwork-io/bash-commons ==> amazon-ebs.ubuntu: [fetch] time="2024-10-09T21:41:05Z" level=error msg="\nReceived an HTTP 401 Response when attempting to query the repo for its tags.\n\nThis means that either your GitHub oAuth Token is invalid, or that the token is valid but is being used to request access\nto either a public repo or a private repo to which you don't have access.\n\nUnderlying error message:\nReceived HTTP Response 401 while fetching releases for GitHub URL https://api.github.com/repos/gruntwork-io/bash-commons/tags?per_page=100. Full HTTP response: {\"message\":\"Bad credentials\",\"documentation_url\":\"https://docs.github.com/rest\",\"status\":\"401\"}\n\n" ``` I use `eval "$(pass get-github-machine-token)"` first to set the my Github Personal Access token for our machine user to the `GITHUB_OAUTH_TOKEN` variable. This is the command that I use to build the Packer template: ```bash aws-vault exec dev -- packer build openvpn-server.pkr.hcl ``` This is the bit of HCL code that tries to do the installation: ```hcl build { provisioner "shell" { environment_vars = ["GITHUB_OAUTH_TOKEN=${var.github_auth_token}", "BASH_COMMONS_VERSION=v0.1.9", "MODULE_AWS_MONITORING=v0.35.0", "MODULE_SECURITY_VERSION=v0.65.8", "PACKAGE_OPENVPN_VERSION=v0.24.1", "SSH_GRUNT_ROLE_ARN=arn:aws:iam::142450169083:role/allow-ssh-grunt-access-from-other-accounts"] inline = ["gruntwork-install --module-name 'bash-commons' --tag $BASH_COMMONS_VERSION --repo https://github.com/gruntwork-io/bash-commons", "gruntwork-install --module-name 'install-openvpn' --tag $PACKAGE_OPENVPN_VERSION --repo https://github.com/gruntwork-io/terraform-aws-openvpn", "gruntwork-install --module-name 'init-openvpn' --tag $PACKAGE_OPENVPN_VERSION --repo https://github.com/gruntwork-io/terraform-aws-openvpn", "gruntwork-install --module-name 'start-openvpn-admin' --tag $PACKAGE_OPENVPN_VERSION --repo https://github.com/gruntwork-io/terraform-aws-openvpn", "gruntwork-install --module-name 'backup-openvpn-pki' --tag $PACKAGE_OPENVPN_VERSION --repo https://github.com/gruntwork-io/terraform-aws-openvpn", "gruntwork-install --binary-name 'openvpn-admin' --tag $PACKAGE_OPENVPN_VERSION --repo https://github.com/gruntwork-io/terraform-aws-openvpn", "sudo /usr/local/bin/install-openvpn", "gruntwork-install --module-name 'auto-update' --tag $MODULE_SECURITY_VERSION --repo https://github.com/gruntwork-io/terraform-aws-security", "gruntwork-install --module-name 'fail2ban' --tag $MODULE_SECURITY_VERSION --repo https://github.com/gruntwork-io/terraform-aws-security", "gruntwork-install --module-name 'ntp' --tag $MODULE_SECURITY_VERSION --repo https://github.com/gruntwork-io/terraform-aws-security", "gruntwork-install --module-name 'ip-lockdown' --tag $MODULE_SECURITY_VERSION --repo https://github.com/gruntwork-io/terraform-aws-security", "gruntwork-install --binary-name 'ssh-grunt' --tag $MODULE_SECURITY_VERSION --repo https://github.com/gruntwork-io/terraform-aws-security", "sudo /usr/local/bin/ssh-grunt iam install --iam-group bastion-only-ssh-grunt-users --iam-group ssh-grunt-users --iam-group-sudo ssh-grunt-sudo-users --role-arn $SSH_GRUNT_ROLE_ARN", "gruntwork-install --module-name 'agents/cloudwatch-agent' --repo https://github.com/gruntwork-io/terraform-aws-monitoring --tag $MODULE_AWS_MONITORING --module-param aws-region=${var.aws_region}", "gruntwork-install --module-name 'logs/syslog' --repo https://github.com/gruntwork-io/terraform-aws-monitoring --tag $MODULE_AWS_MONITORING"] } } ``` I confirmed that the `GITHUB_OAUTH_TOKEN` is set by echoing it in the Packer template. I also tried a few other Packer templates and got the same result with them Are Personal Access Tokens still supported to authenticate access to the Gruntwork modules? The Personal Access Token has these permission: ![CleanShot 2024-10-09 at 18 34 22@2x](https://github.com/user-attachments/assets/16149fad-c1cb-48df-bdad-a1b8b136bb69) Do you have any ideas why this would not be working? Thank you

The solution involved a few things: 1. Our Github machine user was created before Gruntwork had its developer portal. This Github account didn't have an email associated with it in the developer portal, so it wasn't allowed to be authenticated. 2. We also regenerated the personal access token in GitHub for this user. 3. We updated the permissions for the personal access token in GitHub to include `admin:org -> read:org` and `project`.