Access denied when microservice tries to retrieve encrypted tenant option

Product/components used and version/fix level:

Cumulocity version 1018.0.125 (frontend) 1018.0.174 (backend)

Detailed explanation of the problem:

From the guide [Cumulocity IoT - OpenAPI Specification](Cumulocity IoT - OpenAPI Specification) I learned that encrypted option cannot be received by regular user (I tried and it returns {“self”:“”,“category”:“secrets”,“value”:“<>”,“key”:“credentials.test_key”}) but when it is sent to a microservice, the value should be decrypted.
However, when sending GET request from my microservice to retrieve the option, it returns {“message”:“Access is denied”,“error”:“security/Forbidden”,“info”:…}

Here is how I formulate the request:

def base64_credentials(tenant, user, password):
    str_credentials = tenant + "/" + user + ":" + password
    return 'Basic ' + base64.b64encode(str_credentials.encode()).decode()
def sample_get_token:
        url =
        payload = {}
        headers = {
             'Authorization': base64_credentials(os.getenv('C8Y_BOOTSTRAP_TENANT'), os.getenv('C8Y_BOOTSTRAP_USER'), os.getenv('C8Y_BOOTSTRAP_PASSWORD'))
        response = requests.request("GET", url, headers=headers, data=payload)
        private_key = json.loads(response.text)["value"]

Error messages / full error message screenshot / log file:

KeyError, as response == {“message”:“Access is denied”,“error”:“security/Forbidden”,“info”:…}

Question related to a free trial, or to a production (customer) instance?

This is a production instance


your Microservice needs the necessary roles to access the Tenant Option API. If your Microservice wants to read options, it must define "ROLE_OPTION_MANAGEMENT_READ" as a required role in its cumulocity.json. In case the Microservice needs to write tenant options, it must specify the required role "ROLE_OPTION_MANAGEMENT_ADMIN".

Best regards

Christian Guether

It also seems you are using the wrong credentials.
The C8Y_BOOTSTRAP prefixed credentials are meant to be used to retrieve the subscriptions of the microservice (actual service credentials for every subscribed tenant), see: General aspects - Cumulocity IoT Guides They are not meant to access the other Cumulocity APIs.
If you have a per tenant scoped microservice, you could use C8Y_TENANT, C8Y_USER, C8Y_PASSWORD instead.


Thank you, it works after defining the role and using the service user’s credential as suggested by @Tristan_Bastian . I referred to the sample script (just search cumulocity microservices/sample-python-microservice, sorry that I cannot include links in my post) for this case