Spinnaker "spin" CLI 401 Unauthorized in CI
The spin CLI reached the Gate API but the request was rejected with 401. Gate is up; the credentials or config the CLI presented were missing, wrong, or not accepted for that endpoint.
What this error means
A CI step running spin pipeline execute or spin application list fails with "Error: Unauthorized" or a 401 from the Gate URL, while unauthenticated health checks succeed.
Error: encountered an error executing pipeline:
Get "https://gate.example.com/pipelines": 401 UnauthorizedCommon causes
Missing or wrong spin config credentials
The ~/.spin/config in CI lacks a valid auth block (OAuth token, x509 cert, or basic auth), so Gate rejects the request.
The credential lacks access to the resource
The identity authenticated but is not authorized for that application or pipeline in Gate/Fiat.
How to fix it
Provide valid credentials to spin in CI
- Write a
~/.spin/configwith the correct auth for your Gate. - Inject tokens/certs from CI secrets, never commit them.
- Re-run the spin command against Gate.
mkdir -p ~/.spin
cat > ~/.spin/config <<'EOF'
gate:
endpoint: https://gate.example.com
auth:
enabled: true
x509:
certPath: $CERT_PATH
keyPath: $KEY_PATH
EOFGrant the identity access in Fiat
For a persistent 401/403, confirm the authenticated principal has read/write access to the application and pipeline in Spinnaker authz.
How to prevent it
- Store spin credentials in CI secrets and render config at runtime.
- Grant least-privilege access to the applications spin touches.
- Rotate tokens/certs and update the secret in one place.