Can we hit Cumulocity APIs with bootstrap credentials of microservice

Sam123 · August 2, 2023, 7:02am

Product/components used and version/fix level:

Cumulocity Production

Detailed explanation of the problem:

Hi,

Is it possible to access the Cumulocity APIs with the bootstrap credentials of my microservice?
In SDK, we pass bootstrap credentials so How do you access the APIs with these credentials since they dont work directly?

Thanks,
Samanyu

Korbinian_Butz · August 2, 2023, 7:12am

Hi,

see Stefans Response to your previous thread here:

The bootstrapuser is just for retrieving the service user for each tenant. I think I made this clear now multiple times. You should not use that in any other API Call of your microservice (even when it is working). The service user permissions are defined in your manifest file.

Sam123 · August 2, 2023, 7:27am

Hi Korbinian,

That is fine but I need to understand the process here. Can’t we expose the “service user” credentials and use rest API call internally?

Stefan_Witschel · August 2, 2023, 8:19am

Everything is well documented here:

https://cumulocity.com/guides/microservice-sdk/concept/#microservice-bootstrap

What is missing from your perspective? For what purpose do you want to expose the service user credentials outside of the microservice context? Of course you can do that but security-wise it is still a high risk because the service user has all the rights which are defined in the microservice manifest…

Sam123 · August 2, 2023, 9:55am

Hi Stefan,

When we provide a value to the required interval field, a availability fragment is created for that specific M.O. Now when we are trying to send update the fragment it is not working because of that “header” in SDK. So, if we get the user credentials, we can do a rest API call and send an empty put call which will make sure that the request is coming from a device as you suggested in different post.

Thanks,
Samanyu

Stefan_Witschel · August 2, 2023, 10:39am

Uhhh this is way too complicated for what you wanted to achieve. It’s much easier.
See here for an example using restTemplate:

Just adapt that to the inventory API and you can freely define which headers are sent or not also you get the required credentials via the context service which can be autowired into your service:

@Autowired
private ContextService<MicroserviceCredentials> contextService;

headers.set("Authorization", contextService.getContext().toCumulocityCredentials().getAuthenticationString());

Sam123 · August 10, 2023, 7:42am

Hi Stefan,

We have implemented what you said and it worked in local but after deployment we are getting errors. It is not able to pull the image and the service is unhealthy. Could you please help how we can resolve this issue? If any extra roles required for this "context service*.

system · February 6, 2024, 7:42am

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.