When using Concourse in several environments, you’ll eventually end up in a situation where you’re on a remote system (Jumpbox, Docker Container, etc) and need to use
fly to get or set a pipeline, or hijack into a job and troubleshoot a task. This is where things get a bit interesting.
If you are using Concourse 3.x or 4.x and have OAuth configured (Github, CF, etc), when attempting to log in you’ll be met with the following:
fly -t pipes loginlogging in to team 'dev-test' navigate to the following URL in your browser: https://pipes.test.example.com/sky/login?redirect_uri=http://127.0.0.1:43941/auth/callback or enter token manually:
Usually this works perfectly fine, go to the link in a browser,
fly automatically updates the credentials, and it’s good to go. Unfortunately, when using
fly on a remote system, or within a container, the
redirect_uri=http://127.0.0.1:43941/auth/callback won’t work properly as
fly is listening on a random port local to the box it’s running on. This causes the following to occur in the browser and sadness ensues.
Recycle and Reuse
So, how do we fix this?
Looking in the address bar of the browser when redirected to the error page it’ll look something like:
Enclosed in the URL is the bearer token that
fly is expecting. But before copying and pasting it into
fly, it needs to be modified slightly. Change the
Bearer and the rest of the token to a
space character so it looks like:
Then copy that into the terminal where you are authenticating.
While this is a a bit of a pain, the good news is there is a much more user friendly experience in 5.x and above. Upon going to the login page prompted by
fly, if the CLI can’t be contacted by the browser, instead of getting an
Unable to connect error, you’re greeted with a page and a one-click button to copy the properly formatted token to your clipboard as shown below.
But for those of us who are environments with older versions of Concourse, the above solution is a good stop-gap until the shiny new upgrades are rolled out.