deck sync HTTP 401 (RBAC token) in CI
decK reached the Kong Admin API but was rejected with 401. Kong Enterprise RBAC is enabled and decK sent no valid Kong-Admin-Token, so the request is unauthorized.
What this error means
deck gateway sync fails with "HTTP status 401 (message: Unauthorized)" or "Invalid credentials" while the Admin URL itself is reachable.
deck
Error: failed to sync: HTTP status 401 (message: "Unauthorized")
Common causes
No RBAC token sent to the Admin API
RBAC is on but decK ran without --kong-admin-token, so the request is anonymous and rejected.
The token is wrong or lacks workspace access
A stale or workspace-scoped token cannot administer the target workspace, so Kong returns 401.
How to fix it
Pass the RBAC token from a secret
- Store the Kong admin token as a CI secret.
- Pass it to decK with
--kong-admin-tokenor theDECK_KONG_ADMIN_TOKENenv var. - Re-run sync and confirm the 401 clears.
Terminal
deck gateway sync kong.yaml \
--kong-addr https://kong-admin.example.com \
--kong-admin-token "$KONG_ADMIN_TOKEN"Set the token via env in the workflow
Expose the token as an environment variable so decK picks it up without echoing it on the command line.
.github/workflows/ci.yml
env:
DECK_KONG_ADMIN_TOKEN: ${{ secrets.KONG_ADMIN_TOKEN }}How to prevent it
- Keep the Kong admin token in CI secrets, never in committed config.
- Grant the token access to the exact workspace decK targets.
- Rotate the token on a schedule and update the secret in one place.
Related guides
deck "could not parse state file" / validation failed in CIFix decK "could not parse state file" / "validation failed" in CI - the Kong declarative YAML is malformed or…
Apigee apigeecli 401 (token expired) in CIFix apigeecli "401 Unauthorized" / "Request had invalid authentication credentials" in CI - the OAuth access…
deck "schema violation" in plugin config in CIFix decK "schema violation" on a Kong plugin config in CI - a plugin field is unknown, the wrong type, or req…