Skip to main content
Solved

Toolkit AuthorizationError: Don't have correct access rights to clean spaces

K
Committed
Forum|alt.badge.img+1

When I am trying to run
cdf deploy

or

cdf deploy --dry-run

 

In both cases I am getting this error

ERROR (AuthorizationError): Don't have correct access rights to clean spaces.

Missing:

DataModelsAcl(actions=[<DataModelsAcl Action.Read: 'READ'>], scope=AllScope())

Please click here to visit the documentation and ensure that you have setup

authentication for the CDF toolkit correctly

Please note that I am using toolkit in azure devops pipeline so its CLI and I dont see any documentation link there as mentioned in the error.

 

What are required access for deploy (with or without dry run)?

Best answer by Anders Albert

@Khilesh Sahu There is a small bug in that error message, it should say ‘deploy’ not ‘clean’, I will fix this. Otherwise, it tells you what access you need, i.e., READ capability of type DataModelsAcl scoped to All. 

@Neerajkumar Bhatewara It depends on which resources you want to govern with Toolkit. If you only want to use Toolkit for data models, then it is sufficient with the DataModelsAcl capability with READ+WRITE. If you want to govern all resources that Toolkit supports, you can use the `cdf auth verify` command. This will see what capabilities you have and suggest which ones to add given that you set up the `cognite-toolkit-service-principal` group with the minimum capabilities (Project + Group), see the quick setup guide in the docs

View original
Did this topic help you find an answer to your question?

3 replies

Ben Petree
Seasoned Practitioner
Forum|alt.badge.img+2
  • Ben Petree
  • Seasoned Practitioner
  • 19 replies
  • March 20, 2025

All `AuthorizationError`s will be related to the Service Principal that you have assigned in the devops pipeline. The variable is named `IDP_CLIENT_ID` along with its secret `IDP_CLIENT_SECRET`. That Service Principal MUST be a member of the Entra/Azure group that is linked to the CDF group `cognite-toolkit-service-principal`

Anita Hæhre
Mithila Jayalath
2 people like this
  • Anita Hæhre
    Anita Hæhre
  • Mithila Jayalath
    Mithila Jayalath
N
Seasoned

Thanks ​@Ben Petree for comment here.

One question - CDF Group `cognite-toolkit-service-principal` is this by default created in each CDF project or you are suggesting create one with necessary capabilities.

If we have to create that group what are the minimum capabilities required to succeed in the operation. 
From the error it seems only “DataModelsAcl” Read is missing in the current setup. Adding that should solve the problem, correct ?

Anders Albert
Seasoned Practitioner
Forum|alt.badge.img
  • Anders Albert
  • Seasoned Practitioner
  • 111 replies
  • Answer
  • March 24, 2025

@Khilesh Sahu There is a small bug in that error message, it should say ‘deploy’ not ‘clean’, I will fix this. Otherwise, it tells you what access you need, i.e., READ capability of type DataModelsAcl scoped to All. 

@Neerajkumar Bhatewara It depends on which resources you want to govern with Toolkit. If you only want to use Toolkit for data models, then it is sufficient with the DataModelsAcl capability with READ+WRITE. If you want to govern all resources that Toolkit supports, you can use the `cdf auth verify` command. This will see what capabilities you have and suggest which ones to add given that you set up the `cognite-toolkit-service-principal` group with the minimum capabilities (Project + Group), see the quick setup guide in the docs

K
1 person likes this
  • K
    Khilesh Sahu

Reply


Terms & ConditionsCookie Settings

Cookie Policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie Settings