I am trying to build a sample pipeline of adding two numbers. While running kfp.Client().create_run_from_pipeline_func(calc_pipeline, arguments=arguments) below error I a getting for faceless account.
**ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'content-type': 'application/json', 'trailer': 'Grpc-Trailer-Content-Type', 'date': 'Wed, 03 Aug 2022 09:39:23 GMT', 'x-envoy-upstream-service-time': '14', 'server': 'envoy', 'transfer-encoding': 'chunked'})
HTTP response body: {"error":"Failed to authorize with API resource references: Failed to authorize with API resource references: PermissionDenied: User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to authorize with API resource references: Failed to authorize with API resource references: PermissionDenied: User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,}): Unauthorized access","details":[{"#type":"type.googleapis.com/api.Error","error_message":"User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,})","error_details":"Failed to authorize with API resource references: Failed to authorize with API resource references: PermissionDenied: User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,}): Unauthorized access"}]}**
Kubeflow implements RBAC based policy for governing access to Kubeflow resources. Policies are configured automatically, so that users can only access things associated with their workspace, and may not access resources associated with another user’s workspace.
I propose to check:
if there is a k8s role created by Kubeflow in the namespace sysspendanalytics
if it contains the verb list to the resource experiments
if there is a RoleBinding that grants the found role to the user sysspendanalytics
Related
Can't seal Vault, neither on CLI or with HTTP API, citing permission problems, using a token from userpass with a policy with permissions on sys/seal. However, by generating a root token it can seal normally.
The documentation at the official site mentions:
This endpoint seals the Vault. In HA mode, only an active node can be sealed. Standby nodes should be restarted to get the same effect. Requires a token with root policy or sudo capability on the path.
Policy
path "sys/seal"
{
capabilities = ["create", "sudo"]
}
Error message
Error sealing: Error making API request.
URL: PUT <HOST>/v1/sys/seal
Code: 403. Errors:
* 1 error occurred:
* permission denied
"update" capability was required.
path "sys/seal"
{
capabilities = ["create", "update", "sudo" ]
}
I followed the documentation here: and here: Trying to integrate to a Personality Insights service via Android Java.
However, after the app runs, and using the correct username and password as mentioned in the guide... (the guide is not clear (2nd bullet point in "Before you begin") on which set of credentials to use - It says get the "service credentials" and credentials from the new service created - I tried with both and both fail with the same error below.)
Error:
12-11 01:49:56.201 29584-29632/? I/CredentialUtils: JNDI string lookups is not available. 12-11 01:49:56.269 29584-29632/? D/NetworkSecurityConfig: No Network Security Config specified, using platform default 12-11 01:49:56.723 29584-29632/? D/OkHttp: --> POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 http/1.1 (1297-byte body) 12-11 01:49:56.803 29584-29632/? D/OkHttp: <-- 401 Not Authorized https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 (78ms, unknown-length body) 12-11 01:49:56.863 29584-29632/? E/WatsonService: POST https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13, status: 401, error: Not Authorized 12-11 01:49:56.865 29584-29632/? E/ERROR: Unauthorized: Access is denied due to invalid credentials
com.ibm.watson.developer_cloud.service.exception.UnauthorizedException: Unauthorized: Access is denied due to invalid credentials at com.ibm.watson.developer_cloud.service.WatsonService.processServiceCall(WatsonService.java:492) at com.ibm.watson.developer_cloud.service.WatsonService$2.execute(WatsonService.java:254) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:105) at com.upen.personalityapp.MainActivity$RetrieveFeedTask.doInBackground(MainActivity.java:87) at android.os.AsyncTask$2.call(AsyncTask.java:306) at java.util.concurrent.FutureTask.run(FutureTask.java:237) at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:244) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:761) 12-11 01:49:56.866 29584-29584/?
This is the code I am using; I am trying to pass a "text" input to the service.
service = new PersonalityInsights("2017-10-13");
service.setUsernameAndPassword("{myUsername}", "{myPassword}");
Profile profile = service.getProfile(text).execute();
System.out.println(profile);
return profile.toString();
I am using the com.ibm.watson.developer_cloud:personality-insights:3.8.0 dependency.
I tried connecting to the URL in the error (https://gateway.watsonplatform.net/personality-insights/api/v3/profile?version=2017-10-13 ) via a browser. It prompts for a username/password combo. I entered my details from my IBM Cloud Lite service but it throws the HTTP Error 405. Is this how it's supposed to work on the browser?
For someone in the future;
Instead of service.setUsernameAndPassword(username, password);, I tried service.setUsernameAndPassword("username", "password"); and it worked.
Trying to Configuring AEM Assets integration with Marketing Cloud and Creative Cloud by following this Adobe documentation.
After configuring, I am trying to test the connection but connection failed.
http://{application-name}.marketing.adobe.com/bin/receive?sling:authRequestLogin=1
07.04.2017 06:17:04 - * HTTP Version: 1.1
07.04.2017 06:17:04 - * Using OAuth 2.0 Authorization Grants
07.04.2017 06:17:04 - * OAuth 2.0 User: Agent user ID
07.04.2017 06:17:04 - Failed to get an access token for user: Agent user ID msg: failed to get access token from authorization server status: 400 response: {"error":"invalid_grant","error_description":"Invalid issuer (iss) or subject (sub) provided"}
Anyone has faced this issue!!
I have tried using the /requests endpoint with my Uber developer account's owner and developer accounts, but I get this error:
401 unauthorized,
{
"message": "This endpoint requires at least one of the following scopes: request.delegate.tos_accept, request, request.delegate", "code": "unauthorized"
}
My HTTP call is as follows:
POST https://sandbox-api.uber.com/v1.2/requests
Headers:
Authorization: Bearer ACCESS_TOKEN_OF_MY_DEVELOPER_ACCOUNT
Accept-Language: en_US
Content-Type: application/json
Parameters:
{"start_latitude":"21.1741125","start_longitude":"72.8121804","end_latitude":"21.2048986","end_longitude":"72.8386455"}
Whereas I get proper response from /requests/estimate endpoint with the same access token, for the same location parameters.
Please help with this.
The problem is you have not requested the 'request' scope during the oauth authorization process.
I am stuck on trying to figure out what permission require for a role to have the ability to update CloudWatch ARN on AWS APIGateway settings. I added full permission for APIGateway and Cloudwatch and CloudwatchLog to a test role and still can't update the Cloudwatch ARN.
Only adding AdministratorAccess then it worked. I don't want to do that. Did I miss something.
error message
Update Cloudwatch ARN for APIGateway.
{ [AccessDeniedException: User: arn:aws:iam:::user/ is not authorized to access this resource]
message: 'User: arn:aws:iam:::user/* is not authorized to access this resource',
code: 'AccessDeniedException',
time: Thu May 05 2016 11:06:32 GMT-0700 (PDT),
requestId: '',
statusCode: 403,
retryable: false,
retryDelay: 9.588389308191836
Thanks
Guang
If the User has PassRole permission on the CloudWatch ARN, API Gateway will consider that the user is authorized to access the resource.