Hi.
We’re administering CDF deployments from Github using github actions and Cognite toolkit.
I’m setting up a github action to automatically perform a dry-run for a pull request to main, and post the dry-run output as a comment on the PR to assist the reviewer.
I’d preferably like to use a client with read-only access to CDF for this, but it seems cdf-tk requires full write access even for dry runs - is that so?
Performing a dry-run locally with read-only credentials results in:
ERROR (AuthorizationError): Don't have correct access rights to deploy iam.groups(all_scoped). Missing:
GroupsAcl(actions=[<GroupsAcl Action.Create: 'CREATE'>], scope=AllScope()) -
GroupsAcl(actions=[<GroupsAcl Action.Delete: 'DELETE'>], scope=AllScope())
Please click here to visit the documentation and ensure that you have setup authentication for the CDF toolkit correctly.
I would expect to see the same error on my github-action, but it stops without much useful information:
Run cdf-tk deploy --env=dev --dry-run > dryrun-output.txt
cdf-tk deploy --env=dev --dry-run > dryrun-output.txt
shell: /usr/bin/bash -e {0}
env:
PYTHON_VERSION: 3.11
CDF_CLUSTER: az-***
CDF_PROJECT: ska***
IDP_CLIENT_ID: ***
IDP_CLIENT_SECRET: ***
IDP_TENANT_ID: ***
pythonLocation: /opt/hostedtoolcache/Python/3.11.10/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.10/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.10/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.10/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.10/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.11.10/x64/lib
Error: Process completed with exit code 1.