Hi Naveen,

A few things come to mind:

  1. Do an openstack application credential show​ on the AC to verify it picked up any necessary roles. Also check the --role​ option when creating the AC.
  2. Try adding an additional rule similar to the first but with "path": "/v2.1/servers/detail"​. The openstack server list​ command seems to use the detail​ endpoint; it failed for my AC until the extra rule was added.
  3. The nova-api service for your openstack cloud needs to have service_type​ set before access rules will be understood. This is documented at https://docs.openstack.org/keystone/latest/user/application_credentials.html#access-rules. If you don't have admin access to your cloud, you may need to raise a support ticket with your service provider and ask them to check that this has been done.

Cheers,

Tim


On Thursday, 25 July 2024 at 14:16, Naveen Anbarasu <nawin8056@gmail.com> wrote:
Hi team,

I have created an application credential for the compute service and successfully obtained a token.
Access rule:
"service": "compute",
"method": "GET",
"path": "/v2.1/servers"

However, when using the token to retrieve the server list, I receive a Error 403 Forbidden error with the message: 'Policy doesn't allow os_compute_api:servers to be performed.

But i have a necessary permission within the respective project (member role)

How can I solve this problem?

Thanks in advance