Service Accounts: failed to DecodeSACCredentials: failed to DeserializeServiceAccountAuthToken

Ok apparently my bash-fu wasn't so strong.. Here's what I was doing wrong:

In order to populate the OP_SERVICE_ACCOUNT_TOKEN variable, I had stored the service token in a file (marked rw only for the user to keep it secret) and then I was running export OP_SERVICE_ACCOUNT_TOKEN=$(cat .service-account-token).

The problem with this is that cat seems to have been spitting out ^[[0m escape sequences at the beginning and the end of its output...and those are bytes that throw off op!

To fix this, I just changed my export statement to export OP_SERVICE_ACCOUNT_TOKEN=$(<.service-account-token) and everything seems to be golden now.

I am also having this issue, but neither OP_CONNECT_TOKEN nor OP_CONNECT_HOST are set and I've also tried rotating the token several times (using the new one each time), still getting the same error...

What's the best way to debug this? I tried the --debug flag but didn't get much other information:


$ if [ -z "${OP_CONNECT_TOKEN}" ]; then echo "OP_CONNECT_TOKEN is unset."; else echo "OP_CONNECT_TOKEN is set."; fi
OP_CONNECT_TOKEN is unset.
$ if [ -z "${OP_CONNECT_HOST}" ]; then echo "OP_CONNECT_HOST is unset."; else echo "OP_CONNECT_HOST is set."; fi
OP_CONNECT_HOST is unset.
$ echo $OP_SERVICE_ACCOUNT_TOKEN|wc -c
861
$ op user get --me
[ERROR] 2023/12/30 17:21:52 failed to DecodeSACredentials: failed to DeserializeServiceAccountAuthToken, unrecognized auth type
$ op --debug user get --me
5:21PM | DEBUG | Skipped loading desktop app settings file. The desktop app might not be installed: read file: lstat /root/.config/1Password/settings/settings.json: no such file or directory
[ERROR] 2023/12/30 17:21:58 failed to DecodeSACredentials: failed to DeserializeServiceAccountAuthToken, unrecognized auth type


(As you can see from the debug message I'm trying this as root, but I also tried it as non-root just to make sure this wasn't the issue and I saw the same behavior...)

I had this same problem because I accidently used the Connect server access token instead of the service account token. Go to the Integration settings, click the Directory tab, and then click the Other button to get to where you actually create a service account.

Hi @seminal, that's an indicator that the Service Account token being used is not valid. Could you ensure that you have the token being used is latest/not revoked?

Best,
Arun