Unable to use CLI with API Token

[thom4parisot]

$ gandi --version
Gandi CLI 1.2

Copyright: © 2014-2018 Gandi S.A.S.
License: GPL-3

$ uname -a
Darwin brillat-savarin 17.5.0 Darwin Kernel Version 17.5.0: Fri Apr 13 19:32:32 PDT 2018; root:xnu-4570.51.2~1/RELEASE_X86_64 x86_64

I ran the setup and that's what happened:

$ gandi setup
Welcome to GandiCLI, let's configure a few things before we start.

Api key (xmlrpc) [g20u5o...]:
Environnment [production]/ote:
SSH keyfile [~/.ssh/id_rsa.pub]:
Api key (REST) [BTnZGD...]:

I then faced only problems and errors:

$ gandi vm create
Please check that you are connecting to the good api 'https://rpc.gandi.net/xmlrpc/' and that it's running.

😢 welp

$ gandi domain list
Invalid API key, please use 'gandi setup' command.

😢 (I just ran the setup)

I thought it would be easy but I reckon I'm running in circles.

Suggestions

What API key are you talking about?

I got confused at first when I read Production API key for LiveDNS on the security page. I thought it was not the right API key as cli mentions xmlrpc.

At this stage, I no longer understand what's happening. xmlrpc? REST? LiveDNS?
I only wanted to use the CLI 😢

Easier to copy token

[grigouze]

Hello.

The API REST key is only for livedns commands. We have not implemented all other commands yet, hope it will be done soon.

All other commands (except status) use API XMLRPC key.

Thanks for issue and suggestion.

[thom4parisot]

The API REST key is only for livedns commands

Hm, I'm confused:

What I am trying to tell is it's hard to understand who's who when installing the CLI for the first time. Even by reading the documentation step by step.

New concepts are added at CLI setup question without being given a chance to understand.

This feels enough for me:

$ gandi setup
Welcome to GandiCLI :-)

API key [g20u5o...]:
SSH keyfile [~/.ssh/id_rsa.pub]:

And in case we don't have an API key yet:

$ gandi setup
Welcome to GandiCLI :-)

API key (get it from https://account.gandi.net/security):
SSH keyfile:

[marty331]

I'm having the same issue except I cannot log in to v4 to the the API Key as my handle is not found. This is so frustrating. I've opened two different support cases so far and nothing.

[nmarjanovic]

This is not resolved. Same issue on my side as well. Tested v4 and v5, and nothing is working.

[sayoun]

Hello, which commands are you trying to use and what is the error message ? Can you provide an output ?

[nmarjanovic]

I tested both gandi cli and from python interpreter. First case was with gandi setup, with old (v4) key for xmlrpc, and new (v5) for REST. I activated production env on v4 API key settings. But always same old same output.

Api key (xmlrpc) [0J...]: used v4 key (used v5 key here as well just to be sure)
Environnment [production]/ote: production
SSH keyfile [~/.ssh/id_rsa.pub]: 
Api key (REST) [uo****...]: used v5 key 


Invalid API key, please use 'gandi setup' command.

And from python interpreter:

 xmlrpclib.Fault: <Fault 510150: 'Error on object : OBJECT_ACCOUNT (CAUSE_NORIGHT) [Invalid API key]'>

EDIT: I will add command i try to use:
gandi domain list (v4) error message provided before

And same command with v5, but i got it, it's not working "yet" with v5. And as somebody provided that dns part is working, i get "blank" output.

15:30 $ gandi dns list xxxxx.com
Sorry domain xxxx.com does not exist (and i can assure you, it's active domain name)
Please use one of the following: (don't show any other domain)

[jtnystrom]

Just a comment in case someone has the same problem I had. The command "gandi dns" works fine with just a v5 API key. So I can do e.g. gandi dns update, to change the IP of my domain, even though I do not have a v4 key. However, "gandi domain" does not work with just a v5 API key (needs v4) and that confused me at first. This seems to be a separate sub-command from gandi dns.

[nmarjanovic]

Using simple curl actions with v5, is ok +-, using domains requests and not zones for dns settings, but gandi cli, and gandi dns command is not working.

[sayoun]

@nmarjanovic A domain can only be managed either in v4 or v5 but not in both. You must migrate a domain from v4 to LiveDNS so it can be managed in v5.
To see which domain is available for each command group in CLI:

• v4 domain -> gandi domain list
• v5 domain -> gandi dns domain.list

[nmarjanovic]

HI @sayoun

We moved from v4 to v5. And gandi dns domain.list give blank output. I would like to share ttyrec with you, but not here.

[sayoun]

Can you try launching the command with debug options to see if it matches with your curl calls ?
Like this: gandi -vvv dns domain.list

[nmarjanovic]

Sure,

[DEBUG] calling url: GET https://dns.api.gandi.net/api/v5/domains
[DEBUG] with params: {'headers': {'X-Api-Key': 'xxxxxx'}}
[DUMP] responded: []

[sayoun]

If you have domains listed on the v5 website administration>domains>dashboards page and they are marked as using LiveDNS nameservers under the Table View, they should be returned by the CLI/API or curl.

If you can go on #gandi IRC channel on freenode to ask for help from Gandi support, as I cannot check further than this on my side, this way you can give a handle or a domain so it will be faster to debug.

[tleguern]

Same issue with a newly generated API key for xmprpc v3. It seems this key doesn't has the format expected by the server: it has both lower and upper case characters while the server only expects lower case, as shown by this error message.

xmlrp.client.Fault: <Fault 500037: "Error on object : OBJECT_UNKNOWN (CAUSE_BAD_PARAMETER) [string 'myredactedkey' does not match '^[a-z0-9]{24}$']">

[aallrd]

I was trying to use the API to create a mail forward and I had the same issues:

Tool	Error
Gandi CLI	Invalid API key, please use 'gandi setup' command.
XML RPC client	xmlrpc.client.Fault: <Fault 510150: 'Error on object : OBJECT_ACCOUNT (CAUSE_NORIGHT) [Invalid API key]'>

I was using a v5 API token from the https://account.gandi.net/fr/users/user/security admin web page.
I used a v4 API token from https://v4.gandi.net/admin/api_key to make it work.

[jbgraindorge-pubfac]

Same problem here :

$ gandi -vvvv dns domain.list
[DEBUG] calling url: GET https://dns.api.gandi.net/api/v5/domains
[DEBUG] with params: {'headers': {'X-Api-Key': 'XXXXXXXXXXXXXXXX'}}
[DUMP] responded: []

[axelauvinen]

Do you tech people of Gandi have some plans when LiveDNS API will support proper subset of RPC methods? With current features LiveDNS API is not serving enough use cases.

[grigouze]

Hello Axel. What methods are missing for you ? Can you tell us more about your use cases ? Thanks.

…

On Thu, Apr 25, 2019 at 2:48 PM Axel Auvinen ***@***.***> wrote: Do you tech people of Gandi have some plans when LiveDNS API will support proper subset of RPC methods? With current features LiveDNS API is not serving enough use cases. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#255 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAC3WF4LWUE7GBXST53T5XTPSGSCTANCNFSM4E7MQBQQ> .

[nikolaik]

Is this is the place to post priority requests for porting features from the RPC API to the new REST API?

If so, I would like to promote the domains.dnssec.create function which I could use to automate rotating DNSSEC keys provided by my DNS host.

[kalou]

Hi Nikolai, we're glad to take feedback to help prioritize the next features.

On this specific topic what is your DNS host using? Does it support CDS/CDNSKEY rollovers? We have beta support for https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-to-rrr-protocol at cdscheck.gandi.net

On the more general topic of API tokens/keys and CLI usage, I think we need to address this internally, take a few decisions and publish a clear set of guidelines.

[nikolaik]

On this specific topic what is your DNS host using? Does it support CDS/CDNSKEY rollovers? We have beta support for https://tools.ietf.org/html/draft-ietf-regext-dnsoperator-to-rrr-protocol at cdscheck.gandi.net

That's great news. I use dnsimple.com as a DNS host. Do you have any pointers on how to setup CDS/CDNSKEY?

[szepeviktor]

LiveDNS + gandi CLI really does not work:

# gandi -vvv dns domain.list
[DEBUG] calling url: GET https://dns.api.gandi.net/api/v5/domains
[DEBUG] with params: {'headers': {'X-Api-Key': '***'}}
[DUMP] responded: []

[szepeviktor]

I think the response [] is okay as I have a subaccount and our domain names are on the main account.

[quentinDupont]

Same issue here to understand what's going on..

I use this API key (i don't see any other possibility):

With gandi -vvv dns domain.list i manage to get one domain of my account (which is not LiveDNS apparently) :

DEBUG] calling url: GET https://dns.api.gandi.net/api/v5/domains
[DEBUG] with params: {'headers': {'X-Api-Key': '................'}}
[DUMP] responded: [{u'fqdn': u'labellebrulerie.fr', u'domain_records_href': u'https://dns.api.gandi.net/api/v5/domains/labellebrulerie.fr/records', u'domain_href': u'https://dns.api.gandi.net/api/v5/domains/labellebrulerie.fr'}]
labellebrulerie.fr

When i try gandi domain list, i have this error Invalid API key, please use 'gandi setup' command

I never config my account_name, is it normal ?

[Lawouach]

Hi, same issue. I have no idea which key to use when it comes to the XMLRPC API and it is very poorly documented :(

any idea?

[grigouze]

@Lawouach Hi. You can ask to support team about XMLRPC API if you need to.

Go to https://help.gandi.net/en/contact/api/api-start

[Lawouach]

Thanks will do!

[kevin39]

Hi,
V4 website is not available anymore for V5 user. Login form always redirect to the new website.

How to get an API v4 key ?!

Thanks

[Lawouach]

You can't unfortunately. That's the most bizarre way to deprecate an API before it shows up in the newer version. Gandi support is not helping at all either.

[kevin39]

Wtf... I'm very disappointed. I sent a request to Gandi Support (to english & french support), I hope they will help me because I need the key for a professionnal use case :(

Edit : But thanks for your reply !!

[Lawouach]

On my side, after many exchanges, they suggested they could re-enable my old Gandi access to generate one key but I told them this was not a real solution (how do I generate new ones for key management?). Support was nice but candid, finally said they'd contact R&D and never called me back... useless.

[kevin39]

Ok... At least that will help me for short terms use but you'r right, thats a very weird way to deprecate a website.

The most weird info is their last news, they said the V4 API is not closing... Ok but they forgot the key management ?!

[Lawouach]

The even more strange thing is that the new UI uses the REST API to make all the calls I need (TLS management). But it's not available programmatically for users, just for their dashboard... sigh.

[kevin39]

Ok... Thanks a lot for your feedbacks. I hope Gandi will reply me soon :)

[szepeviktor]

On my side, after many exchanges, they suggested they could re-enable my old Gandi access to generate one key

I take the liberty of tweeting just that without "Gandi" and without any links.

[kevin39]

FYI, I forgot to give a feedback.
They helped me quickly. They manually synced my api key (v4/v5 are now using the same key). Everything is working fine now.