Circleci api returns "permission denied"

I’m trying to get, add and delete environment variables with the Circleci API with curl.
I’ve created a personal API token and made sure that I’ve the correct role in Github (owner).

The response for
curl -u <token> https://circleci.com/api/v1.1/me
is working fine.
The following is also working fine
curl -u <token> https://circleci.com/api/v1.1/project/github/username/projectname

I have no trouble to list all projects.

But when I try to do anything (get, add, delete) with environment variables I get the response ‘Permission denied’.
For example when calling
curl -u <token> https://circleci.com/api/v1.1/project/github/username/projectname/envvar
or
curl -u <token> https://circleci.com/api/v1.1/project/github/username/projectname/envvar/nameofvar
etc…

I’m having a hard time figuring out what I’m doing wrong. I can edit the env vars in the CircleCI ui so it’s weird I can’t do it here.

Any ideas?
Thanks

Hi @MrHjalmarsson,

Welcome to the CircleCI community!

Do the environment variables in question appear in the UI on the “Project Settings > Environment Variables” page (https://app.circleci.com/settings/project/github/username/projectname/environment-variables)?

If so, is the username returned by curl -u <token>: https://circleci.com/api/v1.1/me the one you’re logged into the UI as?

Hi @yannCI!
Thanks for replying!

Yes the variables is present in the UI and yes the correct user is returned

Hi @MrHjalmarsson,

I was able to reproduce this behaviour in 2 different ways:

1. By using a project API token with a non-Admin scope.

2. By using a project API token generated under another project.

Either way, I suspect the API token you’re using is a project token rather than a personal token.

Is the token you’re using listed under https://app.circleci.com/settings/user/tokens? Or under the https://app.circleci.com/settings/project/github/username/projectname/api?

In the latter case, is the scope set to “Admin”? If so, are you using this token to send API requests for the same project?

Hi @yannCI!
I’ve made sure (and tested again now) that I’m either using a personal token or using a project token with scope ‘Admin’ under the correct project.
Both returns permission denied when calling /envar, but fine for /me or /username/projectname etc.
I’ve also made sure that I have admin rights in github.

Thanks for the prompt reply, @MrHjalmarsson!

I also reproduced the behaviour by using a personal API token from a user who hasn’t access to the GitHub repository.

As you confirmed the token you use was generated for a user who has sufficient access in GitHub, I suspect permissions in CircleCI and GitHub are out of sync.

Could you try refreshing permissions?

If the issue persists after that, please perform a full re-authentication.

Let me know how it goes.

@yannCI, thanks for replying!

I’ve tried both to refresh permission and performed a full re-authentication but no success.
Can still get all user and project details but no access to /envvar.

Could it have something to do with that my user is listed as an organization in the “ORGANIZATIONS” tab in the left header?
I see following in that tab:
Organizations
GH
GH

@MrHjalmarsson,

At this stage, I need to look further into your CircleCI account information.

Could you please open a Support request and reference this CircleCI Discuss post?

Yes, sure!
Thank you for helping out, @yannCI!

Ticket received! Thanks @MrHjalmarsson.

I’m working on it.

@yannCI , Thanks!

Hi @MrHjalmarsson,

Closing the loop in this thread in case another user encounters the same situation.

It appeared that:

• There were two separate projects with the same name under two organizations
• You were using the project API token generated for organization_1/the_project in the API call related to organization_2/the_project

Hence the permissions denied response.

Once again, I’d like to thank you for your commendable cooperation and patience throughout the investigation.

Happy building!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.