oci python SDK while using instance-principals, raising exceptions.ServiceError NotAuthorizedOrNotFound
Closed this issue · 7 comments
oci python SDK while using instance-principals, raising exceptions.ServiceError
and showing NotAuthorizedOrNotFound
and strange thing is,
listing compartment works
but listing users, groups, policies etc.. showing this error.
Here is the code, I am trying:
import oci
try:
signer = oci.auth.signers.InstancePrincipalsSecurityTokenSigner()
except Exception:
print("There was an error while trying to get the Signer")
raise SystemExit
tenancyOcid = signer.tenancy_id
identity_client = oci.identity.IdentityClient(config = {}, signer=signer)
# LIST USERS THROWING ERROR
# res = identity_client.list_users(tenancyOcid)
# LIST COMPARTMENT WORKING FINE - OK
res = identity_client.list_compartments(tenancyOcid)
print(str(res))
print('-------')
print(str(res.data))
I gave initially only read and inspect, but later all permissions also to verify if that's not the issue.
and error shown for list-users
Traceback (most recent call last):
File "get_users-by_instance_principals.py", line 27, in <module>
res = identity_client.list_users(tenancyOcid)
File "/home/opc/oci-auditing/lib64/python3.8/site-packages/oci/identity/identity_client.py", line 11284, in list_users
return self.base_client.call_api(
File "/home/opc/oci-auditing/lib64/python3.8/site-packages/oci/base_client.py", line 463, in call_api
return self.request(request, allow_control_chars)
File "/home/opc/oci-auditing/lib64/python3.8/site-packages/circuitbreaker.py", line 52, in wrapper
return self.call(function, *args, **kwargs)
File "/home/opc/oci-auditing/lib64/python3.8/site-packages/circuitbreaker.py", line 67, in call
result = func(*args, **kwargs)
File "/home/opc/oci-auditing/lib64/python3.8/site-packages/oci/base_client.py", line 601, in request
self.raise_service_error(request, response, service_code, message)
File "/home/opc/oci-auditing/lib64/python3.8/site-packages/oci/base_client.py", line 758, in raise_service_error
raise exceptions.ServiceError(
oci.exceptions.ServiceError: {'opc-request-id': 'CB51E70D52234E8BBDEB65BC357C375A/AE434B364AD933354DA28500B4B52275/002BCF5DBE5A6FB09B5861A2D872CF77', 'code': 'NotAuthorizedOrNotFound', 'message': 'Authorization failed or requested resource not found', 'status': 404}
I observe policies are located directly under identity..
however dynamic groups are within a domain default
so in the policy while writing the dynamic group name, do I need to include domain name also? to provide the right access??
For Default domain, you don't need, but if any other domain, you need to specify the domain name before the group name
Using identity domain requires to use the new identity domain module, the list_users is depricated.
Identity Domain:
https://docs.oracle.com/en-us/iaas/tools/python/2.128.0/api/identity_domains.html
You can check the code I wrote at showoci, see the bottom class - ShowOCIDomains
https://github.com/oracle/oci-python-sdk/blob/master/examples/showoci/showoci_service.py
For Default domain, you don't need, but if any other domain, you need to specify the domain name before the group name
Yes right.
The strange observation is working for compartments, but not for users, policies..
I look at your code, you are using instance principle, but defined policy per group which is wrong
you need to define policy for dynamic group
Example:
For Instance Principals - Create Dynamic Group MyDynamicGroup in Default Domain:
any {ALL {instance.id = 'ocid1.instance.oc1.xxxxxxxxxx'}}
Add Policy:
allow dynamic-group MyDynamicGroup to read all-resources in tenancy
I look at your code, you are using instance principle, but defined policy per group which is wrong you need to define policy for dynamic group
Thanks @adizohar ..
in policy dynamic-group
is needed instead .. silly mistake..
Thanks again 👍