Failed to generate access token for customer about ansible_collection_falcon HOT 7 CLOSED

@carlosmmatos,
I had FALCON_MEMBER_CID as env var (Layer 8 bug xD). When I removed it I could auhtenticate succesfully using crowdstrike.falcon.auth module. Also, I removed the client_id and client_secret options from the code as you suggested.
Thank you for your support.

from ansible_collection_falcon.

Hi @latota007 - thanks for opening up an issue. Can you provide more details such as what the error message is and if you are running this task via localhost (where your ENV vars should be set)?

from ansible_collection_falcon.

Hi @latota007 - thanks for opening up an issue. Can you provide more details such as what the error message is and if you are running this task via localhost (where your ENV vars should be set)?

Hi @carlosmmatos - This is the result of the task ( for security reasons I have removed the Customer ID from the output):
fatal: [ze2vmdvawx201.aznp.bancogalicia.com.ar -> localhost]: FAILED! => changed=false
   auth:
       access_token: null
       cloud: null
   errors:
   - code: 403
      message: Failed to generate access token for customer ID= ""
   msg: Failed to generate access token for customer ID= ""

I delegate the Task to localhost. The environment vars has set at OS Level.

Using Ansible URI module I can get the Token succesfully with the same env vars. Below I attach the task using URI Module:

- name: Genero Token (Login)
  uri:
    url: "https://api.crowdstrike.com/oauth2/token"
    validate_certs: no
    method: POST
    status_code: [201]
    headers:
       Content-Type: "application/x-www-form-urlencoded"
       Accept: application/json
    body:
       client_id: "{{ lookup('ansible.builtin.env', 'FALCON_CLIENT_ID') }}"
       client_secret: "{{ lookup('ansible.builtin.env', 'FALCON_CLIENT_SECRET') }}"
    body_format: form-urlencoded
  register: falcon
  delegate_to: localhost
  no_log: True

from ansible_collection_falcon.

Sorry for the late response. From the looks of it, it might be a bad MEMBER CID being passed in. Since the second task using the uri module works because you're not using member_cid in it, I'm assuming this is the issue.

Out of curiosity, does it work without passing it in using the auth module? I will test this tomorrow just to confirm and ensure the functionality works with member cid.

from ansible_collection_falcon.

@latota007 I tested this out today and it's working fine. Couple things to consider/check:

When using member_cid option, this is the Child (in your case, customer) CID you want to assume. So then your setup would looks as such:

client_id: <parent api client_id>
client_secret: <parent api client_secret>
member_cid: <the childs CID>

Hope this helps. Let me know if you get a chance to test.

from ansible_collection_falcon.

Sorry for the late response. From the looks of it, it might be a bad MEMBER CID being passed in. Since the second task using the uri module works because you're not using member_cid in it, I'm assuming this is the issue.

Out of curiosity, does it work without passing it in using the auth module? I will test this tomorrow just to confirm and ensure the functionality works with member cid.

Carlos, I tried without "Member CID" option and the problem persist:

- name: Genero Token de Autenticacion especificando el CID
  crowdstrike.falcon.auth:
    client_id: "{{ lookup('ansible.builtin.env', 'FALCON_CLIENT_ID') }}"
    client_secret: "{{ lookup('ansible.builtin.env', 'FALCON_CLIENT_SECRET') }}"
    cloud: "us-1"
  register: falcon
  delegate_to: localhost

fatal: [ze2vmdvawx201.aznp.bancogalicia.com.ar -> localhost]: FAILED! => changed=false 
  auth:
    access_token: null
    cloud: null
  errors:
  - code: 403
    message: Failed to generate access token for customer ID=""
  msg: Failed to generate access token for customer ID=""

from ansible_collection_falcon.

@latota007 two things:

1. Can you run it with -vvv . I'm looking to see your invocation.module_args.. would look something like this when not passing in member_cid:

    "invocation": {
        "module_args": {
            "access_token": null,
            "action": "generate",
            "client_id": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "client_secret": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "cloud": "us-1",
            "ext_headers": null,
            "member_cid": null,
            "user_agent": null
        }
    },

2. Also, make sure you are not using the env variable FALCON_MEMBER_CID. The way the module works is it will use what you have written in the task first, if not, it will check to see if the environment variable is available.

For example, since you already have FALCON_CLIENT_ID and FALCON_CLIENT_SECRET environment variables, you don't even need to specify them in the task (also us-1 is default so you could omit that as well). You can rewrite your's like this and it should work the same:

- name: Genero Token de Autenticacion especificando el CID
  crowdstrike.falcon.auth:
  register: falcon
  delegate_to: localhost

This is because it will check those ENV variables for you.

With that being said, make sure you unset FALCON_MEMBER_CID if it's currently set as an ENV variable for that system.

from ansible_collection_falcon.