Access denied when microservice tries to retrieve encrypted tenant option

tse_xuan.ngiam · October 9, 2023, 4:38pm

Product/components used and version/fix level:

Cumulocity version 1018.0.125 (frontend) 1018.0.174 (backend)

Detailed explanation of the problem:

From the guide [Cumulocity IoT - OpenAPI Specification](Cumulocity IoT - OpenAPI Specification) I learned that encrypted option cannot be received by regular user (I tried and it returns {“self”:“https:xxxx.cumulocity.com/tenant/options/secrets/credentials.test_key”,“category”:“secrets”,“value”:“<>”,“key”:“credentials.test_key”}) but when it is sent to a microservice, the value should be decrypted.
However, when sending GET request from my microservice to retrieve the option, it returns {“message”:“Access is denied”,“error”:“security/Forbidden”,“info”:…}

Here is how I formulate the request:

def base64_credentials(tenant, user, password):
    str_credentials = tenant + "/" + user + ":" + password
    return 'Basic ' + base64.b64encode(str_credentials.encode()).decode()
def sample_get_token:
        url = https:xxxx.cumulocity.com/tenant/options/secrets/credentials.test_key
        payload = {}
        headers = {
             'Authorization': base64_credentials(os.getenv('C8Y_BOOTSTRAP_TENANT'), os.getenv('C8Y_BOOTSTRAP_USER'), os.getenv('C8Y_BOOTSTRAP_PASSWORD'))
        }
        response = requests.request("GET", url, headers=headers, data=payload)
        private_key = json.loads(response.text)["value"]

Error messages / full error message screenshot / log file:

KeyError, as response == {“message”:“Access is denied”,“error”:“security/Forbidden”,“info”:…}

Question related to a free trial, or to a production (customer) instance?

This is a production instance

Christian_Guether1 · October 10, 2023, 5:55am

Hi,

your Microservice needs the necessary roles to access the Tenant Option API. If your Microservice wants to read options, it must define "ROLE_OPTION_MANAGEMENT_READ" as a required role in its cumulocity.json. In case the Microservice needs to write tenant options, it must specify the required role "ROLE_OPTION_MANAGEMENT_ADMIN".

Best regards

Christian Guether

Software AG Professional Services

Tristan_Bastian · October 10, 2023, 7:32am

It also seems you are using the wrong credentials.
The C8Y_BOOTSTRAP prefixed credentials are meant to be used to retrieve the subscriptions of the microservice (actual service credentials for every subscribed tenant), see: General aspects - Cumulocity IoT Guides They are not meant to access the other Cumulocity APIs.
If you have a per tenant scoped microservice, you could use C8Y_TENANT, C8Y_USER, C8Y_PASSWORD instead.

tse_xuan.ngiam · October 10, 2023, 10:20am

Thank you, it works after defining the role and using the service user’s credential as suggested by @Tristan_Bastian . I referred to the sample script (just search cumulocity microservices/sample-python-microservice, sorry that I cannot include links in my post) for this case

system · April 7, 2024, 10:20am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cumulocity IoT Tenant Options Encryption Cumulocity-IoT , IoT	3	1132	August 9, 2022
C8Y Microservice \| Python Flask \| Authentication issues Cumulocity-IoT , IoT , IoT-Platform , authentication , python , microservice	2	32	September 5, 2024
Swagger API with Cumulocity Microservice Cumulocity-IoT , IoT	4	515	May 21, 2023
Service User denied access to Alarm API even with requiredRoles set Cumulocity-IoT , IoT	8	358	April 21, 2024
Error Invalid credentials when using bootstrap user Cumulocity-IoT , IoT , IoT-Platform	2	416	April 2, 2024