* rpc error: code = PermissionDenied desc = not authorized: cannot get machineconfig with admin user (omni endpoint)

[bashfulrobot]

Hi there,

I have a bare bones Omni account, where I built a new cluster. omnictl seems to work fine, kubectl seems to work fine, but talosctl keeps giving me the following error when I try to get certain things like a machineconfig:

* rpc error: code = PermissionDenied desc = not authorized

I searched the Slack channel and GitHub issues, but the only instance I found mentioned that the user was using a worker node as the endpoint. That is definitely not the issue here.

I have also tried re-authenticating, re-downloading my config files, and using different CP nodes as the endpoint, etc. All still produce the same behaviour.

Cluster Status

❯ omnictl cluster status spitfire
Cluster "spitfire" RUNNING Ready (5/5) (healthy/total)
├── Kubernetes Upgrade Done
├── Talos Upgrade Done
├── Control Plane "spitfire-control-planes" Running Ready (3/3)
│   ├── Load Balancer Ready
│   ├── Status Checks OK
│   ├── Machine "5319bc21-15ee-4e0e-8f9d-52cade64d5f1" RUNNING Ready
│   ├── Machine "5be0d818-771f-4b71-9c95-8bcd220e515c" RUNNING Ready
│   └── Machine "9336a017-fd70-4f20-997c-532199f82a50" RUNNING Ready
└── Workers "spitfire-workers" Running Ready (2/2)
    ├── Machine "b7a237d7-ba73-4e9c-84e3-77d17282961f" RUNNING Ready
    └── Machine "d08863d9-b429-4cd2-8fc4-0081a2e6c3a9" RUNNING Ready
    ```
    
   commands attempted that generate the error:
   

❯ talosctl -n 172.31.255.144 get machineconfig
NODE NAMESPACE TYPE ID VERSION
1 error occurred:
* rpc error: code = PermissionDenied desc = not authorized

❯ talosctl -n 172.31.255.144 get mc -o yaml
1 error occurred:
* rpc error: code = PermissionDenied desc = not authorized

However not all `talosctl` commands generate the error:

❯ talosctl time -n 172.31.255.144
NODE NTP-SERVER NODE-TIME NTP-SERVER-TIME
172.31.255.144 time.cloudflare.com 2026-01-22 17:00:02.747823001 +0000 UTC 2026-01-22 17:00:02.743525569 +0000 UTC

This user is the only (admin) user (has not set up any others yet). 

Do I just have afundamental misunderstanding of getting machineconfig with `talosctl`?

Cheers!

[smira]

You did everything correctly from Talos point of view, but as Omni manages your machines, it won't let you access the machine configuration, as it will break the management part (you will see raw secrets).

You can still see (redacted) machine config in Omni UI per node, or inspect config patches, etc. (You can also access redacted machine config as Omni resource).

Also you can access Talos resources which don't contain secrets.

[bashfulrobot]

ah! That makes sense. I appreciate that clarification. I will read the docs, but is there a way to view the machone config via omnictl?

[bashfulrobot]

Ok, couldn't find a way. Seems to be in web gui only. Thanks for all the help.

[smira]

yes, you can do omnictl get redactedmachineconfig <uuid>, or in general explore what's available with omnictl get rd