Skip to main content
Question

Transformation Credentials?

  • November 19, 2025
  • 7 replies
  • 50 views
Z
Committed
Forum|alt.badge.img

What capabilities are required to run a transformation using client credentials? I have a client_id and client_secret that when I add to the transformation and hit ‘Test credentials’ it says ‘Credentials verified’. However when I run with client credentials I get an error: Transformation job could not be created. Error code: 403 API error: Invalid source/destination credentials: Token did not provide access to project kuraray-america. Request ID: eb5136ee-594d-971f-b27a-7be0d1a60b15

these credentials are a part of a group that that has read and write capabilities to:

  • transformations
  • sessions
  • datamodelinstances (that is what this particular trasformation is creating)

Additionally I am part of the same groups as this client_id, and I am able to run the transformation using ‘run as current user’ successfully

Mithila Jayalath

7 replies

Mithila Jayalath
Seasoned Practitioner
Forum|alt.badge.img+8

@Zebulon Bell will you be able to share the token inspect of both your client credentials and your current user?

Z
Committed
Forum|alt.badge.img
  • Zebulon Bell
  • Author
  • Committed
  • November 20, 2025

heres the token inspect of my client credentials:

{'subject': 'd0378850-1e9f-476e-8e78-8ec826ea253c',
 'projects': [{'projectUrlName': 'kuraray-america-dev',
   'groups': [3826667641590810]}],
 'capabilities': [{'assetsAcl': {'actions': ['READ', 'WRITE'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'eventsAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'filesAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'rawAcl': {'actions': ['READ', 'WRITE', 'LIST'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'relationshipsAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'timeSeriesAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'timeSeriesSubscriptionsAcl': {'actions': ['READ', 'WRITE'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'dataModelsAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'dataModelInstancesAcl': {'actions': ['READ', 'WRITE', 'WRITE_PROPERTIES'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'transformationsAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'sessionsAcl': {'actions': ['LIST', 'CREATE', 'DELETE'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'groupsAcl': {'actions': ['LIST', 'READ', 'CREATE', 'UPDATE', 'DELETE'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'datasetsAcl': {'actions': ['READ', 'WRITE', 'OWNER'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'projectsAcl': {'actions': ['LIST', 'READ', 'UPDATE'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'extractionPipelinesAcl': {'actions': ['READ', 'WRITE'],
    'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'extractionRunsAcl': {'actions': ['READ', 'WRITE'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}},
  {'userProfilesAcl': {'actions': ['READ'], 'scope': {'all': {}}},
   'projectScope': {'projects': ['kuraray-america-dev']}}]}



Not sure how to get them for my current user, but as they are in the same group I assume they are the same.

Mithila Jayalath
Z
Committed
Forum|alt.badge.img
  • Zebulon Bell
  • Author
  • Committed
  • November 20, 2025

Strange. This Token inspect is only showing things for the kuraray-america-dev project. But I’ve confirmed that this client credential is able to alter the production environment (america-america) as well, and that is the project that I am concerned about.

Mithila Jayalath
Mithila Jayalath
Seasoned Practitioner
Forum|alt.badge.img+8

But I’ve confirmed that this client credential is able to alter the production environment (america-america)

@Zebulon Bell as per the token inspect the client application does not have access to kuraray-america. You might need to check again whether the application is a member of the correct azure groups.

You can get ths token inspect for the current user from bottom left corner of the CDF UI.

 

Z
Committed
Forum|alt.badge.img
  • Zebulon Bell
  • Author
  • Committed
  • November 20, 2025

I have confirmed that my client_id is in the azure group, and this azure group is tied to a cognite credential group in both production and dev as seen in this screenshot, so I’m not sure why this token inspect is only showing the dev. I have set up the entire production environment using this client_id.

 

here is my user client inspection in the production envieroment:

{ "subject": "BXI_hkH3ku8sAnwdPEqBAg", "projects": [ { "projectUrlName": "kuraray-america-dev", "groups": [ 3826667641590810, 5876976553872044 ] }, { "projectUrlName": "kuraray-america", "groups": [ 2369438071410274, 8431119511512233 ] } ], "capabilities": [ { "rawAcl": { "actions": [ "READ", "WRITE", "LIST" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "assetsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "eventsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "timeSeriesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "filesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "threedAcl": { "actions": [ "READ", "CREATE", "UPDATE", "DELETE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "relationshipsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "timeSeriesSubscriptionsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "dataModelsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "dataModelInstancesAcl": { "actions": [ "READ", "WRITE", "WRITE_PROPERTIES" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "datasetsAcl": { "actions": [ "READ", "WRITE", "OWNER" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "extractionPipelinesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "extractionRunsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "extractionConfigsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "functionsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "transformationsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "labelsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "scheduledCalculationsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "sessionsAcl": { "actions": [ "LIST", "CREATE", "DELETE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "workflowOrchestrationAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "relationshipsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "timeSeriesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "projectsAcl": { "actions": [ "UPDATE", "LIST", "READ" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "groupsAcl": { "actions": [ "CREATE", "READ", "LIST", "UPDATE", "DELETE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "userProfilesAcl": { "actions": [ "READ" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "experimentAcl": { "actions": [ "USE" ], "scope": { "experimentscope": { "experiments": [ "identity" ] } } }, "projectScope": { "projects": [ "kuraray-america" ] } }, { "assetsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "eventsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "filesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "rawAcl": { "actions": [ "READ", "WRITE", "LIST" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "relationshipsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "timeSeriesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "timeSeriesSubscriptionsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "dataModelsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "dataModelInstancesAcl": { "actions": [ "READ", "WRITE", "WRITE_PROPERTIES" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "transformationsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "sessionsAcl": { "actions": [ "LIST", "CREATE", "DELETE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "groupsAcl": { "actions": [ "LIST", "READ", "CREATE", "UPDATE", "DELETE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "datasetsAcl": { "actions": [ "READ", "WRITE", "OWNER" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "projectsAcl": { "actions": [ "LIST", "READ", "UPDATE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "extractionPipelinesAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "extractionRunsAcl": { "actions": [ "READ", "WRITE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "projectsAcl": { "actions": [ "UPDATE", "LIST", "READ" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "groupsAcl": { "actions": [ "CREATE", "READ", "LIST", "UPDATE", "DELETE" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "userProfilesAcl": { "actions": [ "READ" ], "scope": { "all": {} } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } }, { "experimentAcl": { "actions": [ "USE" ], "scope": { "experimentscope": { "experiments": [ "identity" ] } } }, "projectScope": { "projects": [ "kuraray-america-dev" ] } } ] }


Thank you for you continued help.

Mithila Jayalath
Mithila Jayalath
Seasoned Practitioner
Forum|alt.badge.img+8

@Zebulon Bell just to give you an update on this. We are investigating this internally and I’ll get back to you when I have an update.

Mithila Jayalath
Seasoned Practitioner
Forum|alt.badge.img+8

@Zebulon Bell In order further investigate this issue, we will need to check the decoded access token (without signature) of the client application to verify that the group claim is there.

I’ll create a support ticket for this issue so you can share the details in the ticket since this topic is in a open communtiy.

Terms & ConditionsCookie SettingsAccessibility statement