prefect: Improve client API behavior when interacting with an unauthorized client api

Current behavior

Authorization of the client api is supposed to happen automatically through tokens specified in environment variables, configs or parameters. When tokens are not provided correctly, the api fails in various ways without telling specifically whats wrong - like a missing or wrong token.

Proposed behavior

Give better guidance on how to fix the underlying problem - failing authentication of the client or agent.

Example

When PREFECT__CLOUD__AUTH_TOKEN isn’t configured, calling agent.register leads to the error prefect.utilities.exceptions.ClientError: Malformed response received from Cloud - please ensure that you have an API token properly configured without telling specifically which token is missing and how to make sure it is provided.
When a token is provided, but the system hasn’t ever been logged on properly, agent.register tries to search for the project using an unauthorized API, thus failing with prefect.utilities.exceptions.ClientError: [{'path': ['project'], 'message': 'field "project" not found in type: \'query_root\'', 'extensions': {'path': '$.selectionSet.project', 'code': 'validation-failed', 'exception': {'message': 'field "project" not found in type: \'query_root\''}}}]

About this issue

Original URL
State: closed
Created 4 years ago
Comments: 16 (1 by maintainers)

Commits related to this issue

Prefect tenant vs runner tokens for registration Base prefect token needs to be for a tenant to allow flow registration, while the agent needs a runner token Re: PrefectHQ/prefect#3384 — committed to gulfofmaine/buoy_barn by abkfenris 3 years ago

Most upvoted comments

I’m then also starting the agent using flow.run_agent().

In order to get everything working from docker (isolated env) I had to:

Provide a tenant token for PREFECT__CLOUD__AUTH_TOKEN
Provide a runner token for PREFECT__CLOUD__AGENT__AUTH_TOKEN
Authenticate using prefect auth login -t ${PREFECT__CLOUD__AUTH_TOKEN}
Then start the script that registers the flow and starts the agent

What a beautiful picture in Azure Container Services towards the end of the week.

The goal was to get a minimal setup running with prefect and great expectations. Done.

lcorneliussen on Sep 24, 2020

I felt like I had the same issue. Simply had the prefect.utilities.exceptions.ClientError: Malformed response received from Cloud - please ensure that you have an API token properly configured error pop up. In my case, I hadn’t made the distinction between RUNNER and TENANT tokens. I tried setting PREFECT__CLOUD__AGENT__AUTH_TOKEN, PREFECT__CLOUD__AUTH_TOKEN individually and then together, but always to the same RUNNER token value, which was my mistake.

And this was only giving an error in the docker container and not on my machine, since I had previously logged in as a USER with prefect auth login.

So for those of you new to Prefect such as myself who might have the same issue, you need a different token for PREFECT__CLOUD__AGENT__AUTH_TOKEN and PREFECT__CLOUD__AUTH_TOKEN, not the same one.

larochew on Oct 19, 2020

I’m then also starting the agent using flow.run_agent().

Ah, for that you’d also need a RUNNER token configured.

Note that you shouldn’t need to do both 1 and 3, doing either 1 or 3 should be sufficient.

Glad to hear you got things working, even though you ran into a few issues. We’ll work to improve our docs and error messages around authentication to simplify this in the future.

jcrist on Sep 24, 2020