Skip to content

Duo Agent Platform: Delayed propagation of ProjectMember causes first flow execution to fail

Description

When a flow is started using composite identity service account, we add service account as a developer to the project for the SA to be able to access project endpoints. This likely happens in background so when the SA goes on to creating workload pipeline in the project, the first request always fails as the ProjectMember access hasn't been worked yet. It works with next set of requests as the SA already has project access from the initial request.

Steps to reproduce

  • Enable FF duo_workflow_use_composite_identity
  • Start any remote DAP flow (except Agentic chat), the first request should fail
  • Retry the same request, it should go through

Expected behaviour

First flow execution request in a project should not fail

Implementation Plan

Edited by 🤖 GitLab Bot 🤖