Skip to main content
Solved

While python SDK: Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998


Forum|alt.badge.img+2

We are trying to connect CDF Project instance : accenture-demo-dev through python SDK. We are getting the below error :

Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998

We have provided all capabilities access to this project. 

cdf project link : https://accenture.fusion.cognite.com/accenture-demo-dev?cluster=api.cognitedata.com

 

 

 

 

Best answer by ShylashriSelvamani

hi @Dilini Fernando  yes this issue is resolved. after adding app registration service principal in the user memeber group.it works

View original

Forum|alt.badge.img

Can you try to run 

client.iam.token.inspect()

it should list all the capabilities that you have


Forum|alt.badge.img+2

After running the command 

client.iam.token.inspect()

below is the output

 

 


Forum|alt.badge.img

Yes, so it looks like you have no capabilities,
Which Azure AD group does your user belong to? And which CDF group is that AD group connected to? 
There is most likely something incorrect there 


Forum|alt.badge.img

Under projects, it should list the projects you have access to and then the capabilities for each of the project. 
So I would check if: 

  • you or the service account you are using is member of the Azure AD groups
  • the Azure AD group is linked to the CDF group 
     
{
    "subject": "xxxxxxx",
    "projects": [
        {
            "url_name": "project1",
            "groups": [
                123456789,
                123456788,
                123456787
            ]
        },
        {
            "url_name": "project2",
            "groups": [
                123456789,
                123456788,
                123456787
            ]
        }
    ],
 "capabilities": [
        {
            "projectsAcl": {
                "version": 1,
                "actions": [
                    "UPDATE",
                    "LIST",
                    "READ"
                ],
                "scope": {
                    "all": {}
                }
            },
            "projectScope": {
                "projects": [
                    "project1"
                ]
            }
        },
        {
            "groupsAcl": {
                "version": 1,
                "actions": [
                    "CREATE",
                    "DELETE",
                    "UPDATE",
                    "LIST",
                    "READ"
                ],
                "scope": {
                    "all": {}
                }
            },
            "projectScope": {
                "projects": [
                    "project1"
                ]
            }
        },

.......

 


Forum|alt.badge.img+2

The below is the user group in Azure AD. And also the member and owner of the group.

 

The above usergroup object id mapped to CDF project group.

 

 


Forum|alt.badge.img

I cannot see all the capabilities, but do you have “groups:list” and “project:list” as part of the capabilities? 
And for the code you are trying to run, you also need “datasets:list” (if you dont have it)

Can you also share the code you use to create the client object? 
 


Forum|alt.badge.img+2

Yes, we have all capabilities added in the cdf group. refer screenshot below

and for datasets, i dont see any capability for datasets:list under manage access

 

Attaching python sdk for your reference. i am not able to send as python format, attaching the code in txt format.


Forum|alt.badge.img

yes, sorry datasets:list was a typo, i meant datasets:read

 

However, you are not authenticating with your user since you are using clientID/client secret
I will refer you for more information https://docs.cognite.com/cdf/access/concepts/authentication_flows_oidc

For your case, you need the app registration with client ID “d5912468-12f6-4b74-abe7-3948cf8d731a” to be also part of the Azure AD group. 

 

Also, since you shared a secret in the snippet above, I would recommend deleting that secret and regenerating a new one. 

 

If you would like to log in on behalf of your user, you can use this guide to set up an app registration for that, in this case you will not need a client secret

https://docs.cognite.com/dev/guides/sdk/python/register_app_jupyter_sdk


Forum|alt.badge.img

Seems like you get authorized successfully by AAD. That leads me to think you are missing one or both of:

  1. Projects:LIST in scope: all
  2. Groups:LIST in scope: all OR scoped to "current user" (i.e. list your own groups)

Forum|alt.badge.img+2

 

Hi @Håkon V. Treider its already present as your comments. attaching screenshot


Forum|alt.badge.img
ShylashriSelvamani wrote:

(...)

Hi @Håkon V. Treider its already present as your comments. attaching screenshot

Seems like it is working now, right? 😄


Dilini Fernando
Seasoned Practitioner
Forum|alt.badge.img+2

Hi @ShylashriSelvamani,

Were you able to solve the issue? 

Best regards,
Dilini 


Forum|alt.badge.img+2

hi @Dilini Fernando  yes this issue is resolved. after adding app registration service principal in the user memeber group.it works


Reply


Cookie Policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie Settings