Skip to content
Latchkey

Spinnaker "spin" CLI 401 Unauthorized in CI

The spin CLI reached the Gate API but the request was rejected with 401. Gate is up; the credentials or config the CLI presented were missing, wrong, or not accepted for that endpoint.

What this error means

A CI step running spin pipeline execute or spin application list fails with "Error: Unauthorized" or a 401 from the Gate URL, while unauthenticated health checks succeed.

Spinnaker
Error: encountered an error executing pipeline:
Get "https://gate.example.com/pipelines": 401 Unauthorized

Common causes

Missing or wrong spin config credentials

The ~/.spin/config in CI lacks a valid auth block (OAuth token, x509 cert, or basic auth), so Gate rejects the request.

The credential lacks access to the resource

The identity authenticated but is not authorized for that application or pipeline in Gate/Fiat.

How to fix it

Provide valid credentials to spin in CI

  1. Write a ~/.spin/config with the correct auth for your Gate.
  2. Inject tokens/certs from CI secrets, never commit them.
  3. Re-run the spin command against Gate.
Terminal
mkdir -p ~/.spin
cat > ~/.spin/config <<'EOF'
gate:
  endpoint: https://gate.example.com
auth:
  enabled: true
  x509:
    certPath: $CERT_PATH
    keyPath: $KEY_PATH
EOF

Grant the identity access in Fiat

For a persistent 401/403, confirm the authenticated principal has read/write access to the application and pipeline in Spinnaker authz.

How to prevent it

  • Store spin credentials in CI secrets and render config at runtime.
  • Grant least-privilege access to the applications spin touches.
  • Rotate tokens/certs and update the secret in one place.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →