On Thu, 2024-07-25 at 05:13 +0000, openstack@tr.id.au wrote:
Hi Naveen,
A few things come to mind:
- Do an openstack application credential show on the AC to verify it picked up any necessary roles. Also check the -- role option when creating the AC. so it might be related to SRBAC and https://launchpad.net/bugs/2030061 https://review.opendev.org/c/openstack/keystone/+/893737 so yes you man need to ensure you have the correcct reader role in addtion to member if appropriate.
- Try adding an additional rule similar to the first but with "path": "/v2.1/servers/detail". The openstack server list command seems to use the detail endpoint; it failed for my AC until the extra rule was added. - The nova-api service for your openstack cloud needs to have service_type set before access rules will be understood. This is documented at https://docs.openstack.org/keystone/latest/user/application_credentials.html.... If you don't have admin access to your cloud, you may need to raise a support ticket with your service provider and ask them to check that this has been done.
Cheers,
Tim
On Thursday, 25 July 2024 at 14:16, Naveen Anbarasu <nawin8056@gmail.com> wrote:
Hi team,
I have created an application credential for the compute service and successfully obtained a token. Access rule: "service": "compute", "method": "GET", "path": "/v2.1/servers"
However, when using the token to retrieve the server list, I receive a Error 403 Forbidden error with the message: 'Policy doesn't allow os_compute_api:servers to be performed.
But i have a necessary permission within the respective project (member role)
How can I solve this problem?
Thanks in advance