API Code:400 Returned using Service Accounts to manage alerts/dashboards

This article applies to:

  • Data Browsing
  • Feature Category: REST API

Problem description:

Tanzu Observability allows the use of service accounts that can be used to automate management of objects such as dashboards, alerts, etc. However, you may encounter issues using Service Accounts tokens to manipulate the objects via our REST API, as they work slightly differently than User Accounts.

The symptoms reported may include specific errors when calling the API, which are just reproducible using Service Accounts even having necessary permissions.

 

Error messages

{"status":{"result":"ERROR","message":"The dashboard is not accessible.","code":400}}

{'status': {'result': 'ERROR', 'message': "You don't have access to modify this alert.", 'code': 403}}

You are not allowed to perform this operation.

 

Note: The preceding log excerpts/Messages are only examples. Date, time, and environmental variables may vary depending on your environment.

 

Error Description: 

Cause: Object lack of access

 

Tanzu Observability supports the roles, permissions, and groups authorization paradigm for managing global permissions. To manage dashboards and alerts, the service account needs both permissions and access to the object.

When the issue persists despite, Service Account already having the necessary permissions, the object access could be the cause of this.

 

Object Access:

With the 2021-42.x release all existing service accounts were moved to a separate predefined Service Accounts group and no longer belong to the Everyone group. Which in scenarios like alarms and dashboards created prior this release, if not change was made, it behaves different when trying to manage them with a Service Account as they don't have the necessary object access since the object by default, can be only accessible by an account who is part of the Everyone group and has the necessary permissions.

 

Solution: 

  • Review your Dashboards and Alerts Access List and include the Service Accounts group, according to your needs.

*For example, if you have granted service accounts with access to certain dashboards and alerts through the Everyone group, you must update the access list to include the Service Accounts group or specific service accounts, so that the service accounts can access the same dashboards and alerts, to apply this change, please refer:

Managing Access to Dashboards and Alerts

 

By default, Service Accounts group is not added to the newly created objects access. However, you can grant access for new dashboards and alerts to service accounts by doing:

  • From the gear icon on the toolbar, select Organization Settings. (You must have the necessary permissions to perform this change)

mceclip2.png

  • Click the Security tab, select Grant Modify Access To: Everyone and Service Accounts.

mceclip1.png

See also:

2021-42.x Release Notes

Managing Access to Dashboards and Alerts
What’s the Service Accounts Group?

Change the Access Control Security Organization Setting

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk