Skip to content

Deck not treating _workspace tag in YAML in the same manner as --workspace flag #1753

New issue
New issue
Open
Bug
Open
Deck not treating _workspace tag in YAML in the same manner as --workspace flag#1753
Bug
Assignees
Prashansa-K
@mheap

Description

@mheap
mheap
opened on Sep 10, 2025

When using "deck gateway validate" with a user whose permissions are scoped only to the workspace in question this only seems to function when passing in the --workspace flag on the command, when this is omitted deck seems to try and hit some endpoints which the user does not have permissions to access and fails, despite the workspace being specified within the YAML file itself.

_format_version: "3.0"
_workspace: workspace2
services:
- connect_timeout: 60000
  enabled: true
  host: httpbin-ct.home.arpa
  name: workspace2_httpbin_service
  path: /anything
  plugins:
  - config:
      custom_fields_by_lua: {}
      path: /dev/stdout
      reopen: false
    enabled: true
    name: file-log
    protocols:
    - grpc
    - grpcs
    - http
    - https
  port: 80
  protocol: http
  read_timeout: 60000
  retries: 5
  routes:
  - https_redirect_status_code: 426
    name: workspace2_httpbin_route
    path_handling: v0
    paths:
    - /httpbin
    preserve_host: false
    protocols:
    - http
    - https
    regex_priority: 0
    request_buffering: true
    response_buffering: true
    strip_path: true
  write_timeout: 60000

but when running the command without the --workspace flag set this fails:

$ deck gateway validate workspace2.yaml --headers Kong-Admin-Token:workspace2_admin --verbose 2
GET /schemas/services HTTP/1.1
Host: localhost:8001
User-Agent: Go-http-client/1.1
Accept-Encoding: gzip

HTTP/1.1 403 Forbidden
Content-Length: 81
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: http://10.10.87.190:8002
Connection: keep-alive
Content-Type: application/json; charset=utf-8
Date: Tue, 02 Sep 2025 14:46:07 GMT
Server: kong/3.11.0.2-enterprise-edition
Vary: Origin
X-Kong-Admin-Latency: 31
X-Kong-Admin-Request-Id: 45b2a705c5f2516576598112e5b49f49

{"message":"workspace2_admin, you do not have permissions to read this resource"}
Error: building state: creating defaulter: get defaults for services: retrieve schema for services from Kong: HTTP status 403 (message: "workspace2_admin, you do not have permissions to read this resource")

with the --workspace flag this command succeeds as expected:

$ deck gateway validate workspace2.yaml --headers Kong-Admin-Token:workspace2_admin --workspace workspace2

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions