Impossible to configure auth for sentry-cli on sentry for nextjs

[rsereir]

Is there an existing issue for this?

• I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
• I have reviewed the documentation https://docs.sentry.io/
• I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which package are you using?

@sentry/nextjs

SDK Version

6.19.6

Framework Version

No response

Link to Sentry event

No response

Steps to Reproduce

1. Push commit on gitlab
2. CI/CD trigger
3. yarn build

Expected Result

Build should be OK without any auth token for sentry-cli ( why sentry-cli is included in sentry nextjs ? )

Actual Result

W: Sentry CLI Plugin: Command failed: /app/node_modules/@sentry/cli/sentry-cli releases new V8ns9KjkQDtMyhaaAtVxo
W: error: API request failed
W:   caused by: sentry reported an error: Authentication credentials were not provided. (http status: 401)

[smeubank]

Build should be OK without any auth token for sentry-cli ( why sentry-cli is included in sentry nextjs ? )

Is your issue possibly related or same as this issue we are working on at the moment? #3865

[rsereir]

@smeubank Hey, thanks for your answer

It's maybe related to #3865 because if sentry-cli is moved to dev dependencies, it's solve my issue. But in #3865 nothing about authentication error on production

[smeubank]

someone from the team can have a look at it, I don't know for sure, but I would hope if removing cli from build this would become a non-top

Could you try out the beta release for V7 and let me know if that works, we want to make sure we get the right fix out

[rsereir]

@smeubank Same error with 7.0 beta 0

[msafi]

Is moving sentry-cli to devDependencies a valid workaround for this issue? I've finished setting up Sentry for my app and am being blocked by this issue, so I'm wondering if that's a valid workaround. Thanks!

[lforst]

Hi, this is a known issue we want to fix very very soon. Blocking people's next build is not ok.

For now, please set the following environment variables in your CI:

• SENTRY_ORG
• SENTRY_PROJECT
• SENTRY_AUTH_TOKEN (You can find the token here - make sure it has the project:releases scope)

More information on those settings: https://docs.sentry.io/product/cli/configuration/#to-authenticate-manually

[msafi]

@lforst Thanks for your attention to this.

The values you mentioned were already set in my Vercel configurations by the Sentry Vercel integration button.

But when I reviewed the values again, I found that the SENTRY_AUTH_TOKEN wasn't being set in the Development and Preview environments on Vercel. It's only set in production. I enabled it for Development and Preview and now the build seems to work. I also added @sentry/cli to the dev dependencies. Without it, the build complained about missing @sentry/cli 🤷

[smeubank]

thanks for helping out @lforst ! 🌮

@msafi your issue is resolved then?

[msafi]

@smeubank as far as i can tell. yes!

[rsereir]

Perfect for me too ! Thanks @lforst :)

[aafnnp]

Hi, this is a known issue we want to fix very very soon. Blocking people's next build is not ok.

For now, please set the following environment variables in your CI:

• SENTRY_ORG
• SENTRY_PROJECT
• SENTRY_AUTH_TOKEN (You can find the token here - make sure it has the project:releases scope)

More information on those settings: https://docs.sentry.io/product/cli/configuration/#to-authenticate-manually

Have you made any progress for this?

[lforst]

@Manonicu sadly no. Our priorities currently lie somewhere else but we have a bigger internal meeting coming up with all of the SDK teams to find a solution and behavior that will determine how this works in the future.

We're tracking the issue for JS SDKs here: getsentry/sentry-webpack-plugin#379

Btw, PRs over at https://github.com/getsentry/sentry-webpack-plugin are always welcome! Helps us get this out the door faster!

[abineetds]

I can't find a way to be able to store my auth token in a secret manager like Google Secret Manager and then pull it down and set it when the application starts up. This is frustrating because we should check this token into VCS and setting it in the environment variable for me (I'm using docker to containerize my app) is a less sustainable pattern. Is there any way to set this token when calling Sentry.init()

[lforst]

@abineetds No, but it is also not necessary to pass this token to Sentry.init(). The auth token is soley used for release creation and sourcemap upload, which should be done when the application is built not when it is started.

Can you try using these options to disable the webpack plugin when the application is started inside the container? You should not use these options when building your Docker image because that's probably the moment you want to upload the source maps.

[abineetds]

@lforst Thank you! I figured out a way to set the environment variable on the build step!

[lforst]

@abineetds Awesome. If you have any feedback on how we could have made this whole thing smoother for you, let us know!

[JonahElbaz]

@lforst Thank you! I figured out a way to set the environment variable on the build step!

Hey, i'm currently unable to figure it out. Mind sharing how you did it?

[ian]

For anyone who got this far, here's the solution that worked for us:

1. Add the SENTRY_AUTH_TOKEN secret to your repository secrets. NOT your environment secrets. If you add it to environment it will not work.
2. Add the env var to the build command, similar to this:

name: Build Next.js
on: [push]
jobs:
  smoke:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3

      - name: Install dependencies
        run: npm install

      - name: Build
        run: npm run build
        env: 
          SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}

[barnabycollins-s2z]

Hey there - any progress on this? Why is an auth token even needed - surely just a DSN should be enough?

I'm working on a Next.js project which is routinely built:

• On many developers' local machines
• In CI
• In deploy pipelines across several different environments.

Having to provide an auth token for every developer, CI job and deployed environment seems like a massive headache when our backend just authorises with a DSN that we can commit to VCS. Is there no way we can just pass in some token that we can commit, or enable Sentry only on deployed environments so it doesn't block builds in local & CI?

[barnabycollins-s2z]

For those viewing this issue after me: I personally worked around it by only including Sentry conditionally in next.config.js. For example:

const nextConfig = {
  // Original Next.js config
};

const { withSentryConfig } = require("@sentry/nextjs");

const sentryExports = {
  ...nextConfig,

  sentry {
    // Sentry config
  }
};

const sentryWebpackPluginOptions = {
  // Sentry Webpack config
};

if (process.env.ENABLE_SENTRY) console.log("Building frontend with Sentry enabled...");

module.exports = process.env.ENABLE_SENTRY
  ? withSentryConfig(sentryExports, sentryWebpackPluginOptions)
  : nextConfig;

This effectively disables Sentry unless the ENABLE_SENTRY environment variable is set. I then set that environment variable in deploy builds only, leaving it unset in local dev copies and CI. This feels like the most sensible solution, because we only want Sentry active in the deployed copies anyway. It also still allows for local testing of the Sentry integration if required - the developer just needs to export SENTRY_AUTH_TOKEN and ENABLE_SENTRY appropriately.