Page MenuHomePhabricator

arc install-certificate doesn't work with bot users
Closed, DuplicatePublic


For background on this issue, see my comments on this blog post.

I create a bot user in Phabricator and now I want to set up arc on a remote host to be able to talk to Phabricator as that bot user.

I follow the Arcanist Quick Start guide and see that I need to install a certificate for my bot user as such:

arc install-certificate

The problem is that this command returns some very confusing instructions.

Trying to connect to server...
Open this page in your browser and login to Phabricator if necessary:

Then paste the API Token on that page below.

    Paste API Token from that page:

If I follow these instructions, I end up setting up arc to authenticate as myself and not the bot user, which isn't what I want.

So I go to the settings page for my bot user on Phabricator and copy the Arcanist Certificate on there to paste into arc install-certificate.

When I try that I get:

Usage Exception: The token "tokenlongerthan32charsanddoesntbeginwithcli-..." is not formatted correctly.
API tokens should be 32 characters long. 
Make sure you visited the correct URI and copy/pasted the token correctly.

Apparently, the correct procedure to get arc to authenticate as your bot user is to create an .arcrc file on the remote host you are setting up and fill in these values:

  "hosts": {
    "http:\/\/\/api\/": {
      "user": "my-bot-user",
      "cert": "verylongtokenthatdoesntnecessarilybeginwiththeletterscli"

I only found this out by asking on #phabricator on IRC. It wasn't documented in any obvious place.

This sounds like a flow that could definitely be improved.

Event Timeline

nchammas raised the priority of this task from to Needs Triage.
nchammas updated the task description. (Show Details)
nchammas added a project: Arcanist.
nchammas added a subscriber: nchammas.

I'm just going to merge this into T5955 -- this is going to become:

$ echo {...} | arc call-conduit --conduit-token 'cli-abcdef'

...once that's slightly further along. The version of that which works today is:

  "hosts": {
    "": {
      "token": "cli-shorttokenwhichstartswithcli"

...but in the majority of cases I suspect --conduit-token will be significantly easier to use.

--conduit-token would be the bee's knees for us, managing the .arcrc file with web users, file permissions, and all this other noise is a huge hassle.