Documented API key permissions to create other API keys for ingestion gives 403 Forbidden

[mloskot]

(This is continuation of #2451 about automated/non-interactive API key-based Seq setup in Kubernetes cluster.)

As explained in that other thread, I'm after Connecting without an API key, so I create API key for administrative purposes with the list of permissions from the documentation, with tiny seq-create-apikey-admin.sh:

#!/bin/bash
SEQ_SERVER_URL=https://seq.example.com
SEQ_ADMIN_USER="admin"
SEQ_ADMIN_PASS="My@Password123"

echo $SEQ_ADMIN_PASS |
seqcli apikey create \
  -t CLI \
  --permissions="read,write,project,organization,system" \
  --connect-username $SEQ_ADMIN_USER --connect-password-stdin \
  --server $SEQ_SERVER_URL

Next, I attempt to create API keys for my apps, to configure the logs ingestion from the apps, using a trivial seq-create-apikey-app.sh:

#!/bin/bash
SEQ_ADMIN_APIKEY=HtLqXzJAkXBnUhuiicJm # created with seq-create-apikey-admin.sh
SEQ_SERVER_URL=https://seq.example.com

seqcli apikey list \
  --apikey="${SEQ_ADMIN_APIKEY}" \
  --server="${SEQ_SERVER_URL}"

seqcli apikey create \
  --apikey="${SEQ_ADMIN_APIKEY}" \
  --server="${SEQ_SERVER_URL}" \
  --title="frontend-123" \
  --permissions=Ingest \
  --property="env=dev" \
  --property="app=frontend-123" \

and here is what I'm getting:

What am I doing wrong and why I'm receiving The Seq request failed (403/Forbidden). The operation is not permitted ?

Shouldn't the write permission be sufficient, after https://docs.datalust.co/docs/server-http-api#apiapikeys ?

[liammclennan]

Hi @mloskot

An API key cannot create an API key with a permission that it does not have, so you need to give the first API key the 'Ingest' permission.

[mloskot]

Oh, I see! Thank you @liammclennan for clarifying that subtle yet reasonable requirement.

It seems to me the Connecting without an API key doc is either missing the ingest permission in the --permissions="read,write,project,organization,system" or a note that the ingest may be required, depending what users will consider as the "remaining commands" in the "use the API key token with the remaining seqcli commands".

A side question: Are the permissions guaranteed to be case-insensitive? The script example uses read,write while the endpoints doc uses Read,Write, etc.

[mloskot]

I have proposed docs update in

• docs: Clarify permissions for connecting without the API key #2455