usage Client Credentials Authentication

[pka420]

Hi,

i created a new web app on globus, created client_id and client_secret.
When I authenticate using ConfidentialAppAuthClient here, I am able to obtain tokens.

But, the tranfer_token is not authorized to be used with any of my endpoints.

The token belongs to client_id@clients.auth.globus.org but the endpoints belong to a user.

How can I use ConfidentialAppAuthClient to get authorization for changing my endpoints?

[sirosen]

Hi there! I'm not sure that this is really a globus-sdk question per-se, so you may get better support via support@globus.org

That said, all you should need to do to use client credentials to manage an endpoint is add the client to the administrators on that endpoint.
The simplest way would be via the web GUI, where you can navigate to the Roles tab and add an identity there.
Here's a sample screenshot from one of my own endpoints:

Just select the Assign New Role option on the right and plug in your client ID as an Administrator.

You can also do this via the globus-cli (install doc) with

$ globus endpoint role create $ENDPOINT_ID --identity $CLIENT_ID --role administrator

Once your client is an admin of the endpoint, it should have full management capabilities just like your user account.

Notably, some role assignment features require a subscription, so this might not work for you if you don't have a subscription. (I'm not an expert on the full suite of restrictions, but I believe that role assignment is unavailable on GCP without a subscription, but that it is available on GCS.)
If you can't use a role to delegate access, then it won't be possible for your client to manage endpoints belonging to other users.