After enabling HTTPS with type offload I get 403 errors like:
API request failed (403): Action is not authorized with current scopes; requires any of [delete:servers]
on certain hub requests (while setting up a notebook instance or trying to stop a server) when I activate https offloaded to the AWS load balancer.
Checking on the hub pod logs I see this message:
[W 2023-02-23 17:35:19.725 JupyterHub base:89] Blocking Cross Origin API request. Referer: https://domain.com/hub/home, Host: domain.com, Host URL: http://domain.com/hub/
[W 2023-02-23 17:35:19.726 JupyterHub scopes:804] Not authorizing access to /hub/api/users/xxx/server. Requires any of [delete:servers], not derived from scopes []
[W 2023-02-23 17:35:19.726 JupyterHub web:1796] 403 DELETE /hub/api/users/xxx/server (::ffff:1.2.3.4): Action is not authorized with current scopes; requires any of [delete:servers]
[W 2023-02-23 17:35:19.727 JupyterHub log:186] 403 DELETE /hub/api/users/xxx/server (@::ffff:1.2.3.4) 3.60ms
So it seems the error behind the 403 is a CORS issue because of the HTTPS.
I’m using a EKS cluster in AWS set up following zero-to-jupyterhub instructions. The proxy config is:
https:
enabled: true
type: offload
service:
annotations:
service.beta.kubernetes.io/aws-load-balancer-internal: "true"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:..."
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
As described here.
My setup is working if I use a letsencrypt certificate. It also works well when accessing with http.
I tried several ways to override the CORS as described in several similar issues without luck. What’s missing in the setup to allow for an offloaded https certificate?
Thanks!