While python SDK: Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998
Solved
While python SDK: Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998
We are trying to connect CDF Project instance : accenture-demo-dev through python SDK. We are getting the below error :
Cognite API error : Resource not found. This may also be due to insufficient access rights. | code: 403 | X-Request-ID: 941c405e-bd77-9105-9485-4bfe9575c998
We have provided all capabilities access to this project.
hi @Dilini Fernando yes this issue is resolved. after adding app registration service principal in the user memeber group.it works
Can you try to run
client.iam.token.inspect()
it should list all the capabilities that you have
After running the command
client.iam.token.inspect()
below is the output
Yes, so it looks like you have no capabilities, Which Azure AD group does your user belong to? And which CDF group is that AD group connected to? There is most likely something incorrect there
Under projects, it should list the projects you have access to and then the capabilities for each of the project. So I would check if:
you or the service account you are using is member of the Azure AD groups
the Azure AD group is linked to the CDF group
{ "subject": "xxxxxxx", "projects": s { "url_name": "project1", "groups": s 123456789, 123456788, 123456787 ] }, { "url_name": "project2", "groups": s 123456789, 123456788, 123456787 ] } ], "capabilities": s { "projectsAcl": { "version": 1, "actions": s "UPDATE", "LIST", "READ" ], "scope": { "all": {} } }, "projectScope": { "projects": s "project1" ] } }, { "groupsAcl": { "version": 1, "actions": s "CREATE", "DELETE", "UPDATE", "LIST", "READ" ], "scope": { "all": {} } }, "projectScope": { "projects": s "project1" ] } },
.......
The below is the user group in Azure AD. And also the member and owner of the group.
The above usergroup object id mapped to CDF project group.
I cannot see all the capabilities, but do you have “groups:list” and “project:list” as part of the capabilities? And for the code you are trying to run, you also need “datasets:list” (if you dont have it)
Can you also share the code you use to create the client object?
Yes, we have all capabilities added in the cdf group. refer screenshot below
and for datasets, i dont see any capability for datasets:list under manage access
Attaching python sdk for your reference. i am not able to send as python format, attaching the code in txt format.
yes, sorry datasets:list was a typo, i meant datasets:read
For your case, you need the app registration with client ID “d5912468-12f6-4b74-abe7-3948cf8d731a” to be also part of the Azure AD group.
Also, since you shared a secret in the snippet above, I would recommend deleting that secret and regenerating a new one.
If you would like to log in on behalf of your user, you can use this guide to set up an app registration for that, in this case you will not need a client secret