I have deployed cube.js via a Helm chart I've created to an AWS EKS cluster. One of the first errors I encountered was that the environment variable CUBEJS_API_SECRET is required. In a docker-compose deployment this secret is automatically generated, but OK, I made an AWS Secrets Manager secret comprised of a random 256-bit string, and synced this with a Kubernetes secret injected into the API service pod as CUBEJS_API_SECRET. I can exec into the API service pod and echo this variable to confirm it is saved correctly.
I am trying to test the deployment by curling the API service:
> $ curl -vvv -H "Authorization: <The API token I generate below>" -G --data-urlencode 'query={"measures":["EventAuthentication.count"]}' localhost:4000/cubejs-api/v1/load
* Trying 127.0.0.1:4000...
* Connected to localhost (127.0.0.1) port 4000 (#0)
> GET /cubejs-api/v1/load?query=%7B%22measures%22%3A%5B%22EventAuthentication.count%22%5D%7D HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.84.0
> Accept: */*
> Authorization: <The API token I generate below>
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 403 Forbidden
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Content-Type: application/json; charset=utf-8
< Content-Length: 25
< ETag: W/"19-1luTU257I9tvKUXOJotGBQDVDqk"
< Date: Tue, 20 Dec 2022 21:58:05 GMT
< Connection: keep-alive
< Keep-Alive: timeout=5
<
* Connection #0 to host localhost left intact
{"error":"Invalid token"}
I am not quite sure why this token is invalid. I can enter the token and the CUBEJS_API_SECRET at https://jwt.io/ and the website says that the token is valid.
I am following the documentation on generating this token. This is the script I use (exactly as the documentation suggests):
const jwt = require('jsonwebtoken');
const CUBE_API_SECRET = '<the CUBEJS_API_SECRET environment variable>';
const cubejsToken = jwt.sign({}, CUBE_API_SECRET, { expiresIn: '30d' });
console.log(cubejsToken);
I have asked this question of the cube.js Slack organization and no one is responding: what am I missing and why is this token invalid? It appears that I am following the documentation correctly, and I have no further information from pod logs or the response as to why the token is invalid.
A second question is, what even is this CUBEJS_API_SECRET environment variable? The documentation on this is sparse: "The secret key used to sign and verify JWTs. Generated on project scaffold with npx cubejs-cli create."
It requires you to pass in some form of user credentials to be combined with the API secret while generating a jwt token (https://cube.dev/docs/security/context#:~:text=API%20token%20as-,follows,-%3A). Try this: