Skip to main content
Solved

Group capabilities YAML indentation level

K
MVP
Forum|alt.badge.img+4

Hi.

I’m getting the following error:

ERROR (ToolkitYAMLFormatError): Failed to load 7.<groupname>.writer.Group.yaml with iam.groups(resource_scoped). Error: CogniteAuthError("Don't have correct access rights. Need READ and WRITE on datasetsAcl.").)

 

I’ve noticed that the “actions”-part of my YAML files have varying indentations. Like below, where the READ action is on a higher level than LIST and READ:

- extractionPipelinesAcl:
    actions:
    - READ
    scope:
      datasetScope:
        ids:
        - <removed>
        - <removed>
- groupsAcl:
    actions:
      - LIST
      - READ
    scope:

In the YAML-configuration reference, there are examples of both:

 - dataModelInstancesAcl:
      actions:
        - READ
      scope:
        spaceIdScope: {
            spaceIds: [
              'my_space'
            ]
        }

<...>

  - rawAcl:
      actions:
      - READ
      - WRITE
      scope:
        tableScope:
          dbsToTables:
            my_database:
              tables: []

Does indentation level matter, and if so, which one is correct?

Best answer by Anders Albert

Based on the error message it looks like there is no issues with the YAML file.

The issue seems to be that the service principal that is setup for the Toolkit is not configured correctly as it is missing the access to read and write data sets. 

The reason why it is failing when loading the group, is that the toolkit will substitute all dataset external ids in any ACL that is scoped to a dataset, see https://docs.cognite.com/cdf/deploy/cdf_toolkit/references/configs#dataset-scope

 

View original
Did this topic help you find an answer to your question?

4 replies

Anders Albert
Seasoned Practitioner
Forum|alt.badge.img
  • Anders Albert
  • Seasoned Practitioner
  • 96 replies
  • Answer
  • June 18, 2024

Based on the error message it looks like there is no issues with the YAML file.

The issue seems to be that the service principal that is setup for the Toolkit is not configured correctly as it is missing the access to read and write data sets. 

The reason why it is failing when loading the group, is that the toolkit will substitute all dataset external ids in any ACL that is scoped to a dataset, see https://docs.cognite.com/cdf/deploy/cdf_toolkit/references/configs#dataset-scope

 

K
1 person likes this
  • K
    Kristian Nymoen
K
MVP
Forum|alt.badge.img+4

We have a similar issue for spaceIds, where this seems to work:

spaceIds:
- sp_firstspace
- sp_secondspace

Although the documentation seems to call for the use of brackets:

 spaceIds: [
              'my_space'
            ]

 

Anders Albert
Seasoned Practitioner
Forum|alt.badge.img
  • Anders Albert
  • Seasoned Practitioner
  • 96 replies
  • June 18, 2024

Both seem should be fine as YAML is a superset of JSON. In principle, you could write pure JSON. 

What is the error message you get when you run it with?

 spaceIds: [
              'my_space'
            ]

 

K
MVP
Forum|alt.badge.img+4
Anders Albert wrote:

Both seem should be fine as YAML is a superset of JSON. In principle, you could write pure JSON. 

What is the error message you get when you run it with?

 spaceIds: [
              'my_space'
            ]

 

Thanks for the clarification. No error running this format. It was just unclear to me that both syntaxes were valid. 

 

Regarding the initial issue mentioned in the first post. I revisited the configuration of the toolkit client and found that I forgot to update the toolkit group ID in config.dev.yaml. Seems like on deploy, toolkit removed it’s own access. Problem solved when setting the correct source_id for the toolkit-group. Thanks!

Anders Albert
1 person likes this
  • Anders Albert
    Anders Albert

Reply


Terms & ConditionsCookie Settings

Cookie Policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie Settings