Apigee apigeecli 401 (token expired) in CI
apigeecli reached the Apigee management API but was rejected with 401. The Google OAuth access token it used is missing, expired, or belongs to a service account without Apigee permissions.
What this error means
apigeecli fails with "401 Unauthorized" or "Request had invalid authentication credentials. Expected OAuth 2 access token" while the org and env names are correct.
Error 401: Request had invalid authentication credentials. Expected OAuth 2 access token,
login cookie or other valid authentication credential.
Common causes
No fresh access token was provided
apigeecli ran without -t and without a valid gcloud token, so the management API got an anonymous or stale request.
The service account lacks Apigee roles
The token authenticated but the principal has no Apigee API Admin role, so management calls are rejected.
How to fix it
Pass a fresh access token
- Authenticate the service account and mint a current access token.
- Pass it to apigeecli with
-t, or let the CLI readAPIGEE_TOKEN. - Re-run the command; the 401 should clear.
export APIGEE_TOKEN=$(gcloud auth print-access-token)
apigeecli apis list --org "$ORG" -t "$APIGEE_TOKEN"Grant the service account Apigee roles
For a persistent 401/403, give the deploy service account the Apigee API Admin role so management calls are authorized.
gcloud projects add-iam-policy-binding "$PROJECT" \
--member="serviceAccount:$SA_EMAIL" \
--role="roles/apigee.apiAdmin"How to prevent it
- Mint a fresh access token in each CI run; tokens are short-lived.
- Grant the deploy service account least-privilege Apigee roles.
- Keep service account keys or workload identity in CI secrets.