Skip to content
Latchkey

Kubernetes "You must be logged in to the server (Unauthorized)" in CI

401 Unauthorized means authentication failed - the API server does not recognize the credential at all (vs 403 Forbidden, where it knows you but you lack permission). In CI this is a bad/expired/empty token or a credential the cluster does not map to any identity.

What this error means

kubectl returns error: You must be logged in to the server (Unauthorized). kubectl auth whoami also fails.

kubectl
error: You must be logged in to the server (Unauthorized)

Common causes

Invalid or unknown credential

The token/cert is malformed, revoked, or for a different cluster/identity provider, so authentication fails outright.

EKS aws-auth / IAM mapping missing

On EKS the IAM principal is authenticated by AWS but not mapped in aws-auth, surfacing as auth failure for the CI identity.

How to fix it

Verify identity and regenerate auth

Confirm who you are and refresh the credential.

Terminal
kubectl auth whoami
aws sts get-caller-identity      # EKS
aws eks update-kubeconfig --name <cluster> --region <region>

Fix the credential or identity mapping

  1. Provide a valid, non-expired token/exec-credential for the right cluster.
  2. On EKS, ensure the CI IAM role is in the aws-auth ConfigMap / access entries.
  3. Re-run and confirm authentication succeeds before authorization checks.

How to prevent it

  • Use per-job minted credentials tied to the correct cluster.
  • Keep IAM/OIDC identity mappings in sync with CI roles.
  • Distinguish 401 (auth) from 403 (RBAC) when triaging.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →