Cyberark.conjur-host-identity getting "HTTP Error 401: Unauthorized"

My Ansible admin is trying to setup some new Ansible hosts, integrated with DAP. They are using this playbook:

• hosts: localhost
  roles:
  • role: cyberark.conjur-host-identity
    conjur_appliance_url: ‘https://conjur.fqdn.com’
    conjur_account: ‘<ACCT_ID>’
    conjur_host_factory_token: “{{ lookup(‘env’, ‘HFTOKEN’) }}”
    conjur_host_name: “{{ inventory_hostname }}”
    conjur_ssl_certificate: “{{ lookup(‘file’, ‘/root/conjur.pem’) }}”
    conjur_validate_certs: yes

When running the playbook, it’s getting an error when trying to create the identity:

TASK [cyberark.conjur-host-identity : Request identity from Conjur] *****************************
FAILED - RETRYING: Request identity from Conjur (3 retries left).
FAILED - RETRYING: Request identity from Conjur (2 retries left).
FAILED - RETRYING: Request identity from Conjur (1 retries left).
fatal: [<NODE_NAME>]: FAILED! => {“attempts”: 3, “cache_control”: “no-cache”, “changed”: false, “connection”: “close”, “content_type”: “text/html”, “date”: “Fri, 29 Oct 2021 18:39:02 GMT”, “elapsed”: 0, “msg”: “Status code was 401 and not [201]: HTTP Error 401: Unauthorized”, “redirected”: false, “server”: “nginx”, “status”: 401, “transfer_encoding”: “chunked”, “url”: “https://<CONJUR_FQDN>/host_factories/hosts”, “x_content_type_options”: “nosniff”, “x_frame_options”: “SAMEORIGIN”, “x_request_id”: “6e424905-ea38-4c2a-9c71-b9a3cef655c6”, “x_runtime”: “0.078504”, “x_xss_protection”: “1; mode=block”}

I had generated a new HF token this morning and provided it to him. Could he have gotten it wrong?

Hi Chris,
Just reviewing the output, the conjur_appliance_url is replaced with a different value?

Yes, I changed it to protect the innocent. It’s a valid value in the playbook.

It turns out the user didn’t have the HF token in his environment. Thanks for looking.