Circleci api returns "permission denied"

I’m trying to get, add and delete environment variables with the Circleci API with curl.
I’ve created a personal API token and made sure that I’ve the correct role in Github (owner).

The response for
curl -u <token> https://circleci.com/api/v1.1/me
is working fine.
The following is also working fine
curl -u <token> https://circleci.com/api/v1.1/project/github/username/projectname

I have no trouble to list all projects.

But when I try to do anything (get, add, delete) with environment variables I get the response ‘Permission denied’.
For example when calling
curl -u <token> https://circleci.com/api/v1.1/project/github/username/projectname/envvar
or
curl -u <token> https://circleci.com/api/v1.1/project/github/username/projectname/envvar/nameofvar
etc…

I’m having a hard time figuring out what I’m doing wrong. I can edit the env vars in the CircleCI ui so it’s weird I can’t do it here.

Any ideas?
Thanks

Hi @MrHjalmarsson,

Welcome to the CircleCI community!

Do the environment variables in question appear in the UI on the “Project Settings > Environment Variables” page (https://app.circleci.com/settings/project/github/username/projectname/environment-variables)?

If so, is the username returned by curl -u <token>: https://circleci.com/api/v1.1/me the one you’re logged into the UI as?

Hi @yannCI!
Thanks for replying!

Yes the variables is present in the UI and yes the correct user is returned

Hi @MrHjalmarsson,

I was able to reproduce this behaviour in 2 different ways:

  1. By using a project API token with a non-Admin scope.

  2. By using a project API token generated under another project.

Either way, I suspect the API token you’re using is a project token rather than a personal token.

Is the token you’re using listed under https://app.circleci.com/settings/user/tokens? Or under the https://app.circleci.com/settings/project/github/username/projectname/api?

In the latter case, is the scope set to “Admin”? If so, are you using this token to send API requests for the same project?

Hi @yannCI!
I’ve made sure (and tested again now) that I’m either using a personal token or using a project token with scope ‘Admin’ under the correct project.
Both returns permission denied when calling /envar, but fine for /me or /username/projectname etc.
I’ve also made sure that I have admin rights in github.

Thanks for the prompt reply, @MrHjalmarsson!

I also reproduced the behaviour by using a personal API token from a user who hasn’t access to the GitHub repository.

As you confirmed the token you use was generated for a user who has sufficient access in GitHub, I suspect permissions in CircleCI and GitHub are out of sync.

Could you try refreshing permissions?

If the issue persists after that, please perform a full re-authentication.

Let me know how it goes.

@yannCI, thanks for replying!

I’ve tried both to refresh permission and performed a full re-authentication but no success.
Can still get all user and project details but no access to /envvar.

Could it have something to do with that my user is listed as an organization in the “ORGANIZATIONS” tab in the left header?
I see following in that tab:
Organizations
GH
GH

@MrHjalmarsson,

At this stage, I need to look further into your CircleCI account information.

Could you please open a Support request and reference this CircleCI Discuss post?

Yes, sure!
Thank you for helping out, @yannCI!

Ticket received! Thanks @MrHjalmarsson.

I’m working on it.

@yannCI , Thanks!

:wave: Hi @MrHjalmarsson,

Closing the loop in this thread in case another user encounters the same situation.

It appeared that:

  • There were two separate projects with the same name under two organizations
  • You were using the project API token generated for organization_1/the_project in the API call related to organization_2/the_project

Hence the permissions denied response.

Once again, I’d like to thank you for your commendable cooperation and patience throughout the investigation.

Happy building! :slightly_smiling_face: