Upgrade to 4 with UAA authenticated teams


At one of my customers we run a BOSH deployed concourse 3.14.1 and use CF UAA authentication for all the teams except main. The teams are created by a service broker btw.

Now because all teams use the same auth provider but a slightly different config (CF space GUID is different) I cannot migrate to concourse 4.0 according to the release notes. Of course I tried it on a test concourse instance and the upgrade did indeed fail.

In an attempt to make the migration work I manually updated the teams table in the DB. I just removed the content from all the auth fields except for the main team. Then I ran “atc migrate” manually and that ran succesful.

But if I try to start the ATC now it throws this error: json: cannot unmarshal object into Go value of type []string
So obviously something is broken. Unfortunately the error doesn’t tell me exactly what is broken where.

This is a test instance so it’s no problem. But I do plan to upgrade our production instance. So what would be the right procedure to upgrade concourse from version 3.14.1 to 4.0 when using UAA auth for all the team?


Nobody any suggestions? Or is a github issue a better place for this problem?

Also: is there any automated upgrade procedure planned for future releases? I’m sure I’m not the only one with multiple team authenticating against UAA.


Hi vchris,

I have the exact same setup at my job. Did you find any answer to your questions?


No I haven’t found a solution yet. I was hoping newer concourse versions would have a more sophisticated upgrade mechanism. But nothing so far.


Hello, we had a similar problem. You can try following the same reasoning.

For us the problem was that bitbucket OAuth is not supported any more with Concourse 4.x.

Here is what we did:

  • Dump the DB from prod
  • Move the dump to my dev-workspace
  • Import the dump

Now the tricky part as we wouldn’t be able to migrate the DB in this state because Bitbucket Auth is no longer supported

  • Run Concourse web V3.14.1 in dev-workspace, with fly change auth for the impacted teams to be basic auth (with some temp username and pass but different usernames)
  • Stop Concourse web
  • Run the migration tool: concourse migrate --migrate-db-to-version 1533934775 --encryption-key <db_encryption_key> --postgres-host <host> --postgres-user <user> --postgres-password <db_password>