Skip to main content
Solved

deploy dry-run with read-only access

  • 26 September 2024
  • 1 reply
  • 26 views

Forum|alt.badge.img+4

Hi.

We’re administering CDF deployments from Github using github actions and Cognite toolkit.

I’m setting up a github action to automatically perform a dry-run for a pull request to main, and post the dry-run output as a comment on the PR to assist the reviewer.

I’d preferably like to use a client with read-only access to CDF for this, but it seems cdf-tk requires full write access even for dry runs - is that so?

 

Performing a dry-run locally with read-only credentials results in:

ERROR (AuthorizationError): Don't have correct access rights to deploy iam.groups(all_scoped). Missing:
GroupsAcl(actions=[<GroupsAcl Action.Create: 'CREATE'>], scope=AllScope()) -
GroupsAcl(actions=[<GroupsAcl Action.Delete: 'DELETE'>], scope=AllScope())
Please click here to visit the documentation and ensure that you have setup authentication for the CDF toolkit correctly.

I would expect to see the same error on my github-action, but it stops without much useful information:

Run cdf-tk deploy --env=dev --dry-run > dryrun-output.txt
cdf-tk deploy --env=dev --dry-run > dryrun-output.txt
shell: /usr/bin/bash -e {0}
env:
    PYTHON_VERSION: 3.11
    CDF_CLUSTER: az-***
    CDF_PROJECT: ska***
    IDP_CLIENT_ID: ***
    IDP_CLIENT_SECRET: ***
    IDP_TENANT_ID: ***
    pythonLocation: /opt/hostedtoolcache/Python/3.11.10/x64
    PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.11.10/x64/lib/pkgconfig
    Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.10/x64
    Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.10/x64
    Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.11.10/x64
    LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.11.10/x64/lib
Error: Process completed with exit code 1.

Best answer by palronning

Hi Kristian, I you’re right: the Toolkit does indeed expect full WRITE/DELETE even for --dry-run, but that shouldn’t be necessary. We should be able to fix this fairly quick. Thanks for reporting!

View original

  • Architect
  • September 27, 2024

Hi Kristian, I you’re right: the Toolkit does indeed expect full WRITE/DELETE even for --dry-run, but that shouldn’t be necessary. We should be able to fix this fairly quick. Thanks for reporting!


Reply


Cookie Policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie Settings