Invalid tag - Creator not in tag owners group

Hi all

I am trying to combine tags with ACLs, but failing miserably.

I have assigned the tag to two of my VMs running Tailscale. I have put my user as tag owner and I have made an ACL that should give the VMs with the tag access to each other.

The issue is when I go to the Machines page in the web admin and do a mouse-over on the tag I get the following message:
“This tag is invalid because the machine’s creator is not in the tag owners’ group. See the ACL file for who is allowed to claim a tag.”

The ACL looks like this

{
“tagOwners”: {
“tag:VMs-Test”: [“email@email.com”],
},
// Access control lists.
“acls”: [
// Match absolutely everything. Comment out this section if you want
// to define specific ACL restrictions.
{ “action”: “accept”, “users”: [“tag:VMs-Test”], “ports”: [“tag:VMs-Test:“] },
//{ “action”: “accept”, “users”: [”
”], “ports”: [“:”] },
]
}

*Email has been changed in the above paste, but is the same mail as is states as the creator for the machines (I only have 1 user).

Any suggestion as to what I have done wrong?

Thanks in advance,
Thomas

Can you send email to support@tailscale.com with the domain name?

We made changes recently in working toward Ability to generate pre-auth key and assign tag using API. · Issue #1369 · tailscale/tailscale · GitHub and can look into whether we broke anything.

Hi DGentry

Mail sent, haven’t heard anything back yet. I’ll update this post when news arrive.
The issue still persist.

Thomas

And just like that I got it working.
I decided to simplify my tags, removing capital letters and dashes, so it just ended up as “vmstest” (without the "). Now it works.
Could it be possible to enhance the validation of input, so it is not possible to put in stuff that does not work?
Anyways, I got it working and I am happy the issue was on my end and not because of the recent changes :slight_smile: