I am trying to build a sample pipeline of adding two numbers. While running kfp.Client().create_run_from_pipeline_func(calc_pipeline, arguments=arguments) below error I a getting for faceless account.
**ApiException: (403)
Reason: Forbidden
HTTP response headers: HTTPHeaderDict({'content-type': 'application/json', 'trailer': 'Grpc-Trailer-Content-Type', 'date': 'Wed, 03 Aug 2022 09:39:23 GMT', 'x-envoy-upstream-service-time': '14', 'server': 'envoy', 'transfer-encoding': 'chunked'})
HTTP response body: {"error":"Failed to authorize with API resource references: Failed to authorize with API resource references: PermissionDenied: User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,}): Unauthorized access","code":7,"message":"Failed to authorize with API resource references: Failed to authorize with API resource references: PermissionDenied: User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,}): Unauthorized access","details":[{"#type":"type.googleapis.com/api.Error","error_message":"User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,})","error_details":"Failed to authorize with API resource references: Failed to authorize with API resource references: PermissionDenied: User 'sysspendanalytics' is not authorized with reason: (request: \u0026ResourceAttributes{Namespace:sysspendanalytics,Verb:list,Group:pipelines.kubeflow.org,Version:v1beta1,Resource:experiments,Subresource:,Name:,}): Unauthorized access"}]}**
Kubeflow implements RBAC based policy for governing access to Kubeflow resources. Policies are configured automatically, so that users can only access things associated with their workspace, and may not access resources associated with another user’s workspace.
I propose to check:
if there is a k8s role created by Kubeflow in the namespace sysspendanalytics
if it contains the verb list to the resource experiments
if there is a RoleBinding that grants the found role to the user sysspendanalytics
Can't seal Vault, neither on CLI or with HTTP API, citing permission problems, using a token from userpass with a policy with permissions on sys/seal. However, by generating a root token it can seal normally.
The documentation at the official site mentions:
This endpoint seals the Vault. In HA mode, only an active node can be sealed. Standby nodes should be restarted to get the same effect. Requires a token with root policy or sudo capability on the path.
Policy
path "sys/seal"
{
capabilities = ["create", "sudo"]
}
Error message
Error sealing: Error making API request.
URL: PUT <HOST>/v1/sys/seal
Code: 403. Errors:
* 1 error occurred:
* permission denied
"update" capability was required.
path "sys/seal"
{
capabilities = ["create", "update", "sudo" ]
}
I am using a following CloudFormention Template to add cognito:preferred_role claim to my ID token.
IdentityPoolRoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
"authenticated": !GetAtt AuthenticatedRole.Arn
"unauthenticated": !GetAtt UnAuthenticatedRole.Arn
RoleMappings:
"userpool1":
IdentityProvider: !Join …
AmbiguousRoleResolution: Deny
Type: Token
But I recieved an ID token only contains standard claims on my client app.
I also noticed unauthenticated role is applyed to a user after login.
I changed AmbiguousRoleResolution to AuthenticatedRole but still no additional claims.
What I am missing to do?
I need to send this token to an api gateway to assume role base on cognito:roles or cognito:preferred_role claim to call dynamo sdk using authenticated role on lambda.
I created a cloud object storage service and created a standard bucket. My goal is to upload files using a service id in CLI.
As step -1 I am testing I am following to run few commands on bucket I created from this link: https://cloud.ibm.com/docs/cloud-object-storage?topic=cloud-object-storage-cli-ic-cos-cli
Here are some outputs:
ibmcloud cos config list
Key Value
Last Updated Tuesday, December 17 2019 at 23:31:19
Default Region us-east
Download Location /Users/myname/Downloads
CRN crn:v1:bluemix:public:cloud-object-storage:global:a/784492b2864521d53b6c4590e0f2bf34:f743cac0-6166-404f-abea-2e1d74c6a7ac:: f743cac0-6166-404f-abea-2e1d74c6a7ac
AccessKeyID
SecretAccessKey
Authentication Method IAM
URL Style VHost
ibmcloud cos list-buckets --ibm-service-instance-id crn:v1:bluemix:public:cloud-object-storage:global:a/784492b2864521d53b6c4590e0f2bf34:f743cac0-6166-404f-abea-2e1d74c6a7ac::
OK
2 buckets found in your account:
Name Date Created
hog-bucket2 Dec 18, 2019 at 05:43:28
hog-test-bucket-name Dec 17, 2019 at 16:59:41
ibmcloud cos head-bucket --bucket hog-bucket2
FAILED
Forbidden: Forbidden
status code: 403, request id: 2fba921d-a11c-4f45-b172-3937daeab633, host id:
I tried it on other bucket and I see same 403.
I went into access policies for the bucket and created a policy to set myself as manager. But it didn't help.
Creating a bucket from cli worked fine:
ibmcloud cos create-bucket --bucket hog-cli-bucket-name --ibm-service-instance-id crn:v1:bluemix:public:cloud-object-storage:global:a/784492b2864521d53b6c4590e0f2bf34:f743cac0-6166-404f-abea-2e1d74c6a7ac::
OK
Details about bucket hog-cli-bucket-name:
Region: us-east
Class: Standard
Then I tried to do get list of buckets:
ibmcloud cos list-buckets --ibm-service-instance-id crn:v1:bluemix:public:cloud-object-storage:global:a/784492b2864521d53b6c4590e0f2bf34:f743cac0-6166-404f-abea-2e1d74c6a7ac::
OK
3 buckets found in your account:
Name Date Created
hog-bucket2 Dec 18, 2019 at 05:43:28
hog-cli-bucket-name Dec 18, 2019 at 06:14:03
hog-test-bucket-name Dec 17, 2019 at 16:59:41
which looked good but trying to retrieve class for hog-cli-bucket-name bucket didn't work. It is asking me to login.
ibmcloud cos get-bucket-class --bucket hog-cli-bucket-name
FAILED
Access to your IBM Cloud account was denied. Log in again by typing ibmcloud login --sso.
And after I login when I test get-bucket-class it keeps telling me to login again.
I think your CRN looks wrong. I only used the last part of my CRN
f743cac0-6166-404f-abea-2e1d74c6a7ac
I've created a token:
$ vault token lookup abac979c-d00d-4182-5654-793861dc0be9
Key Value
--- -----
accessor ee63d369-0823-4f5d-62c3-5fb877f36a36
creation_time 1529483637
creation_ttl 604800
display_name token
entity_id n/a
expire_time 2018-06-27T08:33:57.103907674Z
explicit_max_ttl 0
id abac979c-d00d-4182-5654-793861dc0be9
issue_time 2018-06-20T08:33:57.103907333Z
meta <nil>
num_uses 0
orphan false
path auth/token/create
policies [default openshift-token-manager]
renewable true
ttl 603405
As you can see it has openshift-token-manager policy. This policy looks like:
vault policy read openshift-token-manager
path "auth/approle/role/openshift/secret-id" {
capabilities = ["update"]
}
I'm using this token in order to create a secret-id:
$ vault write -f auth/approle/role/openshift-ro/secret-id
Error writing data to auth/approle/role/openshift-ro/secret-id: Error making API request.
URL: PUT https://vault.vault-sidekick.svc/v1/auth/approle/role/openshift-ro/secret-id
Code: 403. Errors:
* permission denied
Any ideas?
The role openshift-ro that you are trying to create a secret-id for doesn't match the role granted in your policy, openshift - so the permission denied error seems correct based on that.
Change your policy to grant access to the openshift-ro role.