Unable to check user permissions: struct field for “__schema” doesn’t exist in any of 1 places to unmarshal

[jeff-clearcover]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

Overview of the Issue

Atlantis plan and apply comments stopped working after updating to latest image

Reproduction Steps

Deploy with latest image and try to atlantis plan or apply from comments.

Atlantis will have a similar error in logs:

{“level”:“error”,“ts”:“2022-02-28T21:16:21.928Z”,“caller”:“events/command_runner.go:219",“msg”:“Unable to check user permissions: struct field for \“__schema\” doesn’t exist in any of 1 places to unmarshal”,“json”:{},“stacktrace”:“[github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand](http://github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand)\n\[tgithub.com/runatlantis/atlantis/server/events/command_runner.go:219](http://tgithub.com/runatlantis/atlantis/server/events/command_runner.go:219)”}

Logs

Logs

{“level”:“error”,“ts”:“2022-02-28T21:16:21.928Z”,“caller”:“events/command_runner.go:219",“msg”:“Unable to check user permissions: struct field for \“__schema\” doesn’t exist in any of 1 places to unmarshal”,“json”:{},“stacktrace”:“[github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand](http://github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand)\n\[tgithub.com/runatlantis/atlantis/server/events/command_runner.go:219](http://tgithub.com/runatlantis/atlantis/server/events/command_runner.go:219)”}

Environment details

If not already included, please provide the following:

• Atlantis version: latest
• If not running the latest Atlantis version have you tried to reproduce this issue on the latest version: It's latest
• Atlantis flags: The relevant flags are ATLANTIS_GH_ORG=SomeOrg, ATLANTIS_GH_TEAM_ALLOWLIST=someteam:*, ATLANTIS_GH_APP_ID=someappid

Atlantis server-side config file:

---
repos:
  - id: /.*/
    allow_custom_workflows: true
    allowed_overrides:
      - apply_requirements
      - workflow
    apply_requirements:
      - approved
    workflow: default

Repo atlantis.yaml file:

# Empty

Any other information you can provide about the environment/deployment

Using terraform-aws-modules/atlantis/aws

Additional Context

We pinned to v0.18.2 and everything works as expected

[jamengual]

Hi @jeff-clearcover if you leave this as ATLANTIS_GH_TEAM_ALLOWLIST=*:* do you have the same issue?

[jamengual]

@raymondchen625 do you think this could be related to the GraphQl queries?

[raymondchen625]

@raymondchen625 do you think this could be related to the GraphQl queries?

Yes, I found the reason is the v4MutateClient is actually from github.com/Laisky/graphql, not the github.com/shurcooL/githubv4 I used. I'll come up with a fix.

[jamengual]

Amazing thanks @raymondchen625

[chenrui333]

Just made a new release 0.19.2, let me know if the issue still happens, thanks!

[jamengual]

fixed in 0.19.2 release, thanks.

[pantelis-karamolegkos]

I don't think it is fixed, this has turned into the following

 {"level":"error","ts":"2022-03-11T17:39:13.568Z","caller":"events/command_runner.go:219","msg":"Unable to check user permissions: Your token has not been granted the required scopes to execute this query. The 'name' field requires one of the following scopes: ['read:org', 'read:discussion'], but your token has only been granted the: ['repo'] scopes. Please modify your token's scopes at: https://github.com/settings/tokens.","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\t/home/runner/work/atlantis/atlantis/server/events/command_runner.go:219"}

[jamengual]

@pantelis-karamolegkos Atlantis needs access to the org and comments to use this feature, update the permission and see how it goes

[pantelis-karamolegkos]

but this works with 0.18.2 for example

[jamengual]

yes, we needed to change libraries due to a security risk on the previous one, that is why this changed.

[jamengual]

We are testing these changes again since we have discovered that there were changes to the golang Github client that seems to have changed the result of the queries.

I will give an update in the next few days.

[raymondchen625]

I tested release v0.19.2 with the 'read:org', 'read:discussion' scopes granted. It works well. But I found the latest docker base image atlantis-base:2022.03.07 is broken. If we use that, we will get Error: no such file or directory on startup. The latest working image is 2022.02.03.

[jamengual]

@chenrui333 do we have test for the images when they get created? is it possible that is missing something?

@raymondchen625 when you get that error is when is trying to run atlantis binary?

[raymondchen625]

@chenrui333 do we have test for the images when they get created? is it possible that is missing something?

@raymondchen625 when you get that error is when is trying to run atlantis binary?

The binary is fine. Our docker image uses ghcr.io/runatlantis/atlantis-base as base. The latest 2022.03.07 doesn't work. It exits with a file/directory not found error on startup. The 2022.02.03 image works well.

[raymondchen625]

Just verified the base image ghcr.io/runatlantis/atlantis-base:2022.03.07 is basically fine. This change moved the dumb-init from /bin/ to /usr/bin/. My entryopioint script has a shebang line pointing to that. Once I fix that, it works.

[komljen]

I still see the issue with the latest release #2187
Atlantis randomly stops working with the following error when running the plan:

{"level":"error","ts":"2022-04-05T15:33:04.300Z","caller":"events/command_runner.go:219","msg":"Unable to check user permissions: non-200 OK status code: 401 Unauthorized body: \"{\\\"message\\\":\\\"Bad credentials\\\",\\\"documentation_url\\\":\\\"https://docs.github.com/graphql\\\"}\"","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:219"}

A restart of the pod fixes it, but it breaks again after some time.

[jamengual]

randomly as in it was working and all of the sudden it just does not work?

…

On Fri., Apr. 29, 2022, 6:07 a.m. Alen Komljen, ***@***.***> wrote: I still see the issue with the latest release #2187 <#2187> Atlantis randomly stops working with the following error when running the plan: {"level":"error","ts":"2022-04-05T15:33:04.300Z","caller":"events/command_runner.go:219","msg":"Unable to check user permissions: non-200 OK status code: 401 Unauthorized body: \"{\\\"message\\\":\\\"Bad credentials\\\",\\\"documentation_url\\\":\\\"https://docs.github.com/graphql\\\"}\"","json":{},"stacktrace":"github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand\n\tgithub.com/runatlantis/atlantis/server/events/command_runner.go:219 <http://github.com/runatlantis/atlantis/server/events.(*DefaultCommandRunner).RunCommentCommand%5Cn%5Ctgithub.com/runatlantis/atlantis/server/events/command_runner.go:219>"} — Reply to this email directly, view it on GitHub <#2090 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAQ3ERAVRP2OEDKBDCEBB2TVHPNI5ANCNFSM5PSLLZHA> . You are receiving this because you modified the open/close state.Message ID: ***@***.***>

[komljen]

Works at pod start for some time, then it starts throwing the error. After that, I have to restart the pod again, and so on.

[raymondchen625]

We have been running on Atlantis v0.19.2 since Mar 14, 2022. Never had such problems. We are on ECS instead of K8s but I don’t think that matters. Since the error is on permission, do you rotate your credentials? How are the credentials injected to the environment?

…

On Fri, Apr 29, 2022 at 12:22 Alen Komljen ***@***.***> wrote: Works at pod start for some time, then it starts throwing the error. After that, I have to restart the pod again, and so on. — Reply to this email directly, view it on GitHub <#2090 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACXY4USFDY47GMOF7DCZFLVHQEF3ANCNFSM5PSLLZHA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[komljen]

Yeah, I don't think env matters much. We don't rotate credentials. This is our config:

disable-apply-all: true
enable-diff-markdown-format: true
enable-regexp-cmd: true
gh-app-id: <ID>
gh-app-key-file: /atlantis/gh-app-key-file.pem
gh-app-slug: atlantis-faire
gh-org: Faire
gh-team-allowlist: "*:plan,*:unlock,backend-platform:*,data-infra:*"
gh-webhook-secret: <SECRET>
hide-prev-plan-comments: true
write-git-creds: true

Every part of Atlantis works fine, except when we add add gh-team-allowlist.

[jamengual]

@komljen does the atlantis user have read:org permissions?

[komljen]

Do you mean on the Atlantis GitHub app? I had to add read permissions to organization members.
Otherwise, it would throw a different error.

Also tried to add read to the whole organization, but didn't make any difference.

[jamengual]

yes, the wide org:read permission.

it is weird that works and then dies randomly, we have not seen reports of that in particular.

can you open a new issue about this with this error? this issue is supposed to be closed because it was fixed with Raymond's changes, and the other issue you reported is related to the same fix.

the new issue is : Unable to check user permissions: non-200 OK status code: 401 Unauthorized body:

[plutino]

I experienced the same problem: it works right after pod restart, and stop working after an hour or so with the same permission error. Is there a new issue for this already?

[jamengual]

#2187

[jamengual]

maybe related to : https://github.community/t/does-exceeding-github-api-rate-limit-cause-bad-credentials-401-error/14479/3

[plutino]

Thanks. Rate limit is less likely the cause for us because we are still testing atlantis and GitHub. There isn't really much API calls.