Failed to generate workload certificate...error code = Unauthenticated

Hi I have been struggling with authentication failure when I try to start istio on vm machine in aws. I have been following the vm installation page for the most part. The log says that it connected to upstream XDS server so I think most of my configs are correct but I get the

failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unauthenticated desc = request authenticate failure

Is this typically a case of bad root-cert.pem file? I generated the root-cert from running istioctl x workload entry like the documentation instructed. Below is more of my log:

t2021-08-02T03:51:51.099088Z     info    JWT policy is third-party-jwt
2021-08-02T03:51:51.099094Z     info    Pilot SAN: [istiod.istio-system.svc]
2021-08-02T03:51:51.099097Z     info    CA Endpoint istiod.istio-system.svc:15012, provider Citadel
2021-08-02T03:51:51.099115Z     info    Using CA istiod.istio-system.svc:15012 cert with certs: /etc/certs/root-cert.pem
2021-08-02T03:51:51.099190Z     info    citadelclient   Citadel client using custom root cert: istiod.istio-system.svc:15012
2021-08-02T03:51:51.116518Z     warn    citadelclient   cannot load key pair, using token instead: open /etc/certs/cert-chain.pem: no such file or directory
2021-08-02T03:51:51.122670Z     info    ads     All caches have been synced up in 27.26525ms, marking server ready
2021-08-02T03:51:51.122954Z     info    sds     SDS server for workload certificates started, listening on "./etc/istio/proxy/SDS"
2021-08-02T03:51:51.123083Z     info    xdsproxy        Initializing with upstream address "istiod.istio-system.svc:15012" and cluster "skim-2021-08-01v"
2021-08-02T03:51:51.123288Z     info    sds     Start SDS grpc server
2021-08-02T03:51:51.123310Z     info    dns     Starting local udp DNS server at localhost:15053
2021-08-02T03:51:51.123353Z     info    dns     Starting local tcp DNS server at localhost:15053
2021-08-02T03:51:51.123391Z     info    Opening status port 15020
2021-08-02T03:51:51.124516Z     info    Starting proxy agent
2021-08-02T03:51:51.124538Z     info    Epoch 0 starting
2021-08-02T03:51:51.126391Z     info    Envoy command: [-c etc/istio/proxy/envoy-rev0.json --restart-epoch 0 --drain-time-s 45 --drain-strategy immediate --parent-shutdown-time-s 60 --service-cluster istio-proxy --service-node sidecar~10.20.148.151~ip-10-20-148-151.static-cloud-engine--scanhost~static-cloud-engine--scanhost.svc.cluster.local --local-address-ip-version v4 --bootstrap-version 3 --disable-hot-restart --log-format %Y-%m-%dT%T.%fZ      %l      envoy %n        %v -l warning --component-log-level misc:error --concurrency 2]
2021-08-02T03:51:51.250829Z     info    xdsproxy        connected to upstream XDS server: istiod.istio-system.svc:15012
2021-08-02T03:51:51.253270Z     warn    xdsproxy        upstream terminated with unexpected error rpc error: code = Unauthenticated desc = authentication failure
2021-08-02T03:51:51.381478Z     warn    sds     failed to warm certificate: failed to generate workload certificate: create certificate: rpc error: code = Unauthenticated desc = request authenticate failure

Any help would be greatly appreciated.

I would recommend taking a look at the JWT token that you have manually installed at “/var/run/secrets/tokens”. Perhaps something is wrong here? Dumping the relevant logs from the Istiod control plane would help here

Thank you shankgan. I revisited this issue today and with your comment and I was able to authenticate the generated workload certificate. I was generating the token incorrectly. Thank you again.