Skip to content

fix(coderd): skip stale agents from prior builds in instance-identity auth#25443

Merged
f0ssel merged 1 commit into
release/2.33from
fix/instance-id-latest-build-2.33
May 18, 2026
Merged

fix(coderd): skip stale agents from prior builds in instance-identity auth#25443
f0ssel merged 1 commit into
release/2.33from
fix/instance-id-latest-build-2.33

Conversation

@f0ssel
Copy link
Copy Markdown
Member

@f0ssel f0ssel commented May 18, 2026
edited
Loading

Fixes the HTTP 409 ambiguity errors that occur during instance-identity auth when stale workspace agents from prior builds accumulate with the same auth_instance_id.

Problem

#24325 changed the instance-identity auth path from a :one lookup (which silently picked the newest agent) to a :many lookup with ambiguity rejection. This caused HTTP 409 errors for workspaces whose EC2/Azure/GCP instances had been through multiple builds, because old agents from prior builds (sharing the same instance ID) were still returned by the query.

Solution

Inside the existing per-candidate loop in handleAuthInstanceID (which already does per-candidate DB calls for resource and job lookups), add a latest-build check: parse the provisioner job input to get the workspace build, compare against the latest build for that workspace, and continue past candidates whose build is not current.

1 file changed, no SQL/migration/schema changes.

Generated by Coder Agents on behalf of @f0ssel

@f0ssel f0ssel force-pushed the fix/instance-id-latest-build-2.33 branch from 8f54fbe to 0900a1e Compare May 18, 2026 15:04
@f0ssel f0ssel changed the title fix(coderd): filter stale agents from prior builds in instance-identity auth fix(coderd): filter instance-identity lookup to latest build per workspace May 18, 2026
@f0ssel f0ssel force-pushed the fix/instance-id-latest-build-2.33 branch from 0900a1e to 496f372 Compare May 18, 2026 15:06
@f0ssel
fix(coderd): skip stale agents from prior builds in instance-identity…
a7a7914 
… auth

Inside the existing per-candidate loop in handleAuthInstanceID, add a
latest-build check: parse the provisioner job input to get the workspace
build, then compare against the latest build for that workspace. Skip
candidates whose build is not current.

This prevents stale agents from prior builds (which share the same
instance ID) from triggering false HTTP 409 ambiguity errors.
@f0ssel f0ssel force-pushed the fix/instance-id-latest-build-2.33 branch from 496f372 to a7a7914 Compare May 18, 2026 15:51
@f0ssel f0ssel changed the title fix(coderd): filter instance-identity lookup to latest build per workspace fix(coderd): skip stale agents from prior builds in instance-identity auth May 18, 2026
@f0ssel f0ssel requested a review from ibetitsmike May 18, 2026 16:11
@f0ssel f0ssel marked this pull request as ready for review May 18, 2026 16:23
@f0ssel f0ssel merged commit 7fc8a08 into release/2.33 May 18, 2026
31 checks passed
@f0ssel f0ssel deleted the fix/instance-id-latest-build-2.33 branch May 18, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ibetitsmike ibetitsmike ibetitsmike approved these changes

Assignees

@f0ssel f0ssel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@f0ssel @ibetitsmike