topic Re: Can't assign iam:groups:read policy to oauth2 client in Dynatrace API

Can't assign iam:groups:read policy to oauth2 client

DaveOps — Fri, 13 Sep 2024 06:21:39 GMT

Can't assign `iam:groups:read` policy to oauth2 client to be able to get a bearer token via sso which allows me to interact with the `/platform/iam/v1` api.

Received the following response:

{ "error": { "code": 403, "message": "User not authorized." } }

Please advise.

Re: Can't assign iam:groups:read policy to oauth2 client

patryk_ozimek2 — Thu, 12 Sep 2024 13:01:06 GMT

Hi,

Could you please provide the request that you executed?

Best Regards
Patryk

Re: Can't assign iam:groups:read policy to oauth2 client

DaveOps — Thu, 12 Sep 2024 13:46:33 GMT

GET https://{environmentid}.apps.dynatrace.com/platform/iam/v1/organizational-levels/environment/tkx85859/groups?partialGroupName=poc&pageSize=1000403 290 ms GET /platform/iam/v1/organizational-levels/environment/tkx85859/groups?partialGroupName=poc&pageSize=1000 HTTP/1.1 Authorization: Bearer eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjEifQ.eyJzdWIiOiIyOTQxMDc1Yi1lYjM0LTQwZmYtYTE3MC01M2M1NjIyYWVjNDciLCJyZXMiOiJ1cm46ZHRhY2NvdW50OmNmYmU0ZGRmLWZkOTktNDU4ZS1iMmE2LWJkNDQ5OTRlZmQxMSIsIl9jbGFpbV9uYW1lcyI6eyJncm91cHMiOiIwIn0sInByZWZlcnJlZF91c2VybmFtZSI6IjI5NDEwNzViLWViMzQtNDBmZi1hMTcwLTUzYzU2MjJhZWM0N0BzZXJ2aWNlLnNzby5keW5hdHJhY2UuY29tIiwiZ3QiOiJjYyIsImludCI6ZmFsc2UsImF1ZCI6ImR0MHMwMi5ZTllLRlI1SCIsInNjb3BlIjoiYWNjb3VudC1lbnYtcmVhZCBhY2NvdW50LWlkbS1yZWFkIiwiX2NsYWltX3NvdXJjZXMiOnsiMCI6eyJlbmRwb2ludCI6bnVsbH19LCJleHAiOjE3MjYxNDg5NjQsImlhdCI6MTcyNjE0ODY2NCwianRpIjoiNjZkMWMzMmItZTBkYS00ZDg1LWE4MWItNmZiMTFhNDY3NzNlIiwiZW1haWwiOiIyOTQxMDc1Yi1lYjM0LTQwZmYtYTE3MC01M2M1NjIyYWVjNDdAc2VydmljZS5zc28uZHluYXRyYWNlLmNvbSJ9._obETzSjgLjpCivGhSeA4GO2Rb1UH9tXlovKyqUB7GCpwmTieVILER1TpqykMwh_Dr44XcP1exDXGEiPb7_PKw User-Agent: PostmanRuntime/7.41.2 Accept: */* Cache-Control: no-cache Postman-Token: 4c14a859-de4a-4bb2-9db2-515a08350d6b Host: tkx85859.apps.dynatrace.com Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: AWSALB=HsIT5W022Crk334QBTqgjGr1P1C1OWh8AHF1cJMEYjlhljzpzLS2MVsH+JrjPGRVtithHfwKELtbFLjDWGW+pKBlEu659oqIGMrqm6vSMOzBu9p5HswhqF1PCjDe; AWSALBCORS=HsIT5W022Crk334QBTqgjGr1P1C1OWh8AHF1cJMEYjlhljzpzLS2MVsH+JrjPGRVtithHfwKELtbFLjDWGW+pKBlEu659oqIGMrqm6vSMOzBu9p5HswhqF1PCjDe HTTP/1.1 403 Forbidden vary: Origin,Access-Control-Request-Method,Access-Control-Request-Headers,Accept-Encoding date: Thu, 12 Sep 2024 13:44:50 GMT content-type: application/json content-length: 55 set-cookie: AWSALB=LZuDggOsubvZC5njtw6JCIpkchUnewTFivwz1lPERu4pNHdTT/TVuGqDPjizUY8LI0vMxBrvh6JDt1y3/zm3O8zP6lKmO8bJhOf9jdoSmDaXddsqgC2y7pLWnfdN; Expires=Thu, 19 Sep 2024 13:44:50 GMT; Path=/ set-cookie: AWSALBCORS=LZuDggOsubvZC5njtw6JCIpkchUnewTFivwz1lPERu4pNHdTT/TVuGqDPjizUY8LI0vMxBrvh6JDt1y3/zm3O8zP6lKmO8bJhOf9jdoSmDaXddsqgC2y7pLWnfdN; Expires=Thu, 19 Sep 2024 13:44:50 GMT; Path=/; SameSite=None; Secure strict-transport-security: max-age=31536000 cache-control: no-cache, no-store, must-revalidate pragma: no-cache expires: 0 dynatrace-response-source: Service x-content-type-options: nosniff x-xss-protection: 0 referrer-policy: strict-origin-when-cross-origin traceresponse: 00-0f2113aef68326bccb3bc02310b4e92b-443eccf561ea5e80-01 x-dt-tracestate: 67e0a59d-8e83bf33@dt {"error":{"code":403,"message":"User not authorized."}}

Re: Can't assign iam:groups:read policy to oauth2 client

Peter_Youssef — Wed, 25 Sep 2024 19:18:08 GMT

Hi @DaveOps

You can validate the current configuration with IAM team against the provided documentation URL for step-by-step instructions:

Regards,

Peter.

Re: Can't assign iam:groups:read policy to oauth2 client

GosiaMurawska — Thu, 02 Jan 2025 15:40:11 GMT

Hi, @DaveOps! Have you managed to find the answer to your question? It would be great if you share it with the Community 🙂

Re: Can't assign iam:groups:read policy to oauth2 client

erh_inetum — Tue, 11 Feb 2025 06:13:20 GMT

Hi @DaveOps ,

You have to send a curl like this:

$ curl --request POST 'https://sso.dynatrace.com/sso/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=XXXXXXX' \
--data-urlencode 'client_secret=XXXXXXXXXXXXXXXXXXXXXXXXXX' \
--data-urlencode 'resource=urn:dtaccount:XXXXXXX' \
--data-urlencode 'scope=iam:users:read iam:groups:read'

But first, you have to create an OAuth client selecting the scopes you need.

Hope it helps.

Regards,

Elena.