On Thu, 2024-07-25 at 05:13 +0000, openstack@tr.id.au wrote:
> Hi Naveen,
>
> A few things come to mind:
>
> - Do an openstack application credential show on the AC to verify it picked up any necessary roles. Also check the --
> role option when creating the AC.
so it might be related to SRBAC and https://launchpad.net/bugs/2030061
https://review.opendev.org/c/openstack/keystone/+/893737
so yes you man need to ensure you have the correcct reader role in addtion to member if appropriate.
> - Try adding an additional rule similar to the first but with "path": "/v2.1/servers/detail". The openstack server
> list command seems to use the detail endpoint; it failed for my AC until the extra rule was added.
> - The nova-api service for your openstack cloud needs to have service_type set before access rules will be
> understood. This is documented at
> https://docs.openstack.org/keystone/latest/user/application_credentials.html#access-rules. If you don't have admin
> access to your cloud, you may need to raise a support ticket with your service provider and ask them to check that
> this has been done.
>
> Cheers,
>
> Tim
>
> On Thursday, 25 July 2024 at 14:16, Naveen Anbarasu <nawin8056@gmail.com> wrote:
>
> > Hi team,
> >
> > I have created an application credential for the compute service and successfully obtained a token.
> > Access rule:
> > "service": "compute",
> > "method": "GET",
> > "path": "/v2.1/servers"
> >
> > However, when using the token to retrieve the server list, I receive a Error 403 Forbidden error with the message:
> > 'Policy doesn't allow os_compute_api:servers to be performed.
> >
> > But i have a necessary permission within the respective project (member role)
> >
> > How can I solve this problem?
> >
> > Thanks in advance