Solved

While python SDK: Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998


Userlevel 1
Badge +2

We are trying to connect CDF Project instance : accenture-demo-dev through python SDK. We are getting the below error :

Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998

We have provided all capabilities access to this project. 

cdf project link : https://accenture.fusion.cognite.com/accenture-demo-dev?cluster=api.cognitedata.com

 

 

 

 

icon

Best answer by ShylashriSelvamani 29 March 2023, 11:22

View original

13 replies

Userlevel 1
Badge +2

hi @Dilini Fernando  yes this issue is resolved. after adding app registration service principal in the user memeber group.it works

Userlevel 4
Badge +2

Hi @ShylashriSelvamani,

Were you able to solve the issue? 

Best regards,
Dilini 

Userlevel 4
Badge

(...)

Hi @Håkon V. Treider its already present as your comments. attaching screenshot

Seems like it is working now, right? 😄

Userlevel 1
Badge +2

 

Hi @Håkon V. Treider its already present as your comments. attaching screenshot

Userlevel 4
Badge

Seems like you get authorized successfully by AAD. That leads me to think you are missing one or both of:

  1. Projects:LIST in scope: all
  2. Groups:LIST in scope: all OR scoped to "current user" (i.e. list your own groups)
Userlevel 3

yes, sorry datasets:list was a typo, i meant datasets:read

 

However, you are not authenticating with your user since you are using clientID/client secret
I will refer you for more information https://docs.cognite.com/cdf/access/concepts/authentication_flows_oidc

For your case, you need the app registration with client ID “d5912468-12f6-4b74-abe7-3948cf8d731a” to be also part of the Azure AD group. 

 

Also, since you shared a secret in the snippet above, I would recommend deleting that secret and regenerating a new one. 

 

If you would like to log in on behalf of your user, you can use this guide to set up an app registration for that, in this case you will not need a client secret

https://docs.cognite.com/dev/guides/sdk/python/register_app_jupyter_sdk

Userlevel 1
Badge +2

Yes, we have all capabilities added in the cdf group. refer screenshot below

and for datasets, i dont see any capability for datasets:list under manage access

 

Attaching python sdk for your reference. i am not able to send as python format, attaching the code in txt format.

Userlevel 3

I cannot see all the capabilities, but do you have “groups:list” and “project:list” as part of the capabilities? 
And for the code you are trying to run, you also need “datasets:list” (if you dont have it)

Can you also share the code you use to create the client object? 
 

Userlevel 1
Badge +2

The below is the user group in Azure AD. And also the member and owner of the group.

 

The above usergroup object id mapped to CDF project group.

 

 

Userlevel 3

Under projects, it should list the projects you have access to and then the capabilities for each of the project. 
So I would check if: 

  • you or the service account you are using is member of the Azure AD groups
  • the Azure AD group is linked to the CDF group 
     
{
"subject": "xxxxxxx",
"projects": [
{
"url_name": "project1",
"groups": [
123456789,
123456788,
123456787
]
},
{
"url_name": "project2",
"groups": [
123456789,
123456788,
123456787
]
}
],
"capabilities": [
{
"projectsAcl": {
"version": 1,
"actions": [
"UPDATE",
"LIST",
"READ"
],
"scope": {
"all": {}
}
},
"projectScope": {
"projects": [
"project1"
]
}
},
{
"groupsAcl": {
"version": 1,
"actions": [
"CREATE",
"DELETE",
"UPDATE",
"LIST",
"READ"
],
"scope": {
"all": {}
}
},
"projectScope": {
"projects": [
"project1"
]
}
},

.......

 

Userlevel 3

Yes, so it looks like you have no capabilities,
Which Azure AD group does your user belong to? And which CDF group is that AD group connected to? 
There is most likely something incorrect there 

Userlevel 1
Badge +2

After running the command 

client.iam.token.inspect()

below is the output

 

 

Userlevel 3

Can you try to run 

client.iam.token.inspect()

it should list all the capabilities that you have

Reply