Failed to generate workload certificate...error code = Unauthenticated

Hi I have been struggling with authentication failure when I try to start istio on vm machine in aws. I have been following the vm installation page for the most part. The log says that it connected to upstream XDS server so I think most of my configs are correct but I get the

failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unauthenticated desc = request authenticate failure

Is this typically a case of bad root-cert.pem file? I generated the root-cert from running istioctl x workload entry like the documentation instructed. Below is more of my log:

t2021-08-02T03:51:51.099088Z     info    JWT policy is third-party-jwt
2021-08-02T03:51:51.099094Z     info    Pilot SAN: [istiod.istio-system.svc]
2021-08-02T03:51:51.099097Z     info    CA Endpoint istiod.istio-system.svc:15012, provider Citadel
2021-08-02T03:51:51.099115Z     info    Using CA istiod.istio-system.svc:15012 cert with certs: /etc/certs/root-cert.pem
2021-08-02T03:51:51.099190Z     info    citadelclient   Citadel client using custom root cert: istiod.istio-system.svc:15012
2021-08-02T03:51:51.116518Z     warn    citadelclient   cannot load key pair, using token instead: open /etc/certs/cert-chain.pem: no such file or directory
2021-08-02T03:51:51.122670Z     info    ads     All caches have been synced up in 27.26525ms, marking server ready
2021-08-02T03:51:51.122954Z     info    sds     SDS server for workload certificates started, listening on "./etc/istio/proxy/SDS"
2021-08-02T03:51:51.123083Z     info    xdsproxy        Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "skim-2021-08-01v"
2021-08-02T03:51:51.123288Z     info    sds     Start SDS grpc server
2021-08-02T03:51:51.123310Z     info    dns     Starting local udp DNS server at localhost:15053
2021-08-02T03:51:51.123353Z     info    dns     Starting local tcp DNS server at localhost:15053
2021-08-02T03:51:51.123391Z     info    Opening status port 15020
2021-08-02T03:51:51.124516Z     info    Starting proxy agent
2021-08-02T03:51:51.124538Z     info    Epoch 0 starting
2021-08-02T03:51:51.126391Z     info    Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --service-cluster istio-proxy --service-node sidecar~10.20.148.151~ip-10-20-148-151.static-cloud-engine--scanhost~static-cloud-engine--scanhost.svc.cluster.local --local-address-ip-version v4 --bootstrap-version 3 --disable-hot-restart --log-format %Y-%m-%dT%T.%fZ      %l      envoy %n        %v -l warning --component-log-level misc:error --concurrency 2]
2021-08-02T03:51:51.250829Z     info    xdsproxy        connected to upstream XDS server: istiod.istio-system.svc:15012
2021-08-02T03:51:51.253270Z     warn    xdsproxy        upstream terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2021-08-02T03:51:51.381478Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unauthenticated desc = request authenticate failure

Any help would be greatly appreciated.

I would recommend taking a look at the JWT token that you have manually installed at “/var/run/secrets/tokens”. Perhaps something is wrong here? Dumping the relevant logs from the Istiod control plane would help here

Thank you shankgan. I revisited this issue today and with your comment and I was able to authenticate the generated workload certificate. I was generating the token incorrectly. Thank you again.

Hello @skim I have the same problems but cannot find any issues with my token, would you be so kind to give me the commands on how to properly and correctly generate the token?