- Mark as New
- Subscribe to RSS Feed
- Permalink
‎21 Nov 2023 10:09 PM - last edited on ‎22 Nov 2023 09:51 AM by MaciejNeumann
Hello, nice to ask again. I have the following issue: I need to create a new bucket to manage log retention. To do this, I followed the guide, but I'm encountering issues with OAuth 2.0 permissions. I'm searching within the Dynatrace API Swagger for the required permissions. Can you help me identify the necessary permissions?"
I create the OAuth with the permissions specified by OAuth 2.0, and I generate the token from Postman. However, upon execution, I still lack the necessary permissions. What could be the issue?
Furthermore, I created the precise permissions and generated another OAuth with all the storage permissions. I created tokens with both OAuths and tested them separately, but with the same result.
The token is successfully created, but upon executing the query, it still complains about a lack of permissions. Am I missing any other permission?
Solved! Go to Solution.
- Labels:
-
dynatrace api
-
grail
-
postman
- Mark as New
- Subscribe to RSS Feed
- Permalink
‎21 Nov 2023 10:42 PM
Hello @Ellery The permission not met means that the user executing the API call needs to have the policy assigned with at least the storage:bucket-definitions permissions:
ALLOW storage:events:read;
ALLOW storage:metrics:read;
ALLOW storage:logs:read;
ALLOW storage:entities:read;
ALLOW storage:bizevents:read;
ALLOW storage:system:read;
ALLOW storage:buckets:read;
ALLOW storage:bucket-definitions:read;
ALLOW storage:bucket-definitions:write;
ALLOW storage:bucket-definitions:delete;
ALLOW storage:bucket-definitions:truncate;
I leave you a wide policy to apply to a "Storage Admin Group" to have full control over grail buckets.
- Mark as New
- Subscribe to RSS Feed
- Permalink
‎21 Nov 2023 10:52 PM
I also leave you the link to this PRO TIP.
Maybe it will be useful to you.
- Mark as New
- Subscribe to RSS Feed
- Permalink
‎22 Nov 2023 01:03 PM
First of all, thank you very much for the response, but it seems that there's something I'm doing wrong, as even though the API responds, it is not the expected result from the API.
- Mark as New
- Subscribe to RSS Feed
- Permalink
‎23 Nov 2023 12:23 AM
Hello @Ellery I'm going to try to help you with a very detailed guide.
1. Troubleshooting Grail IAM Permissions.
At this point, if you are receiving Required permissions not met it means that the Oauth 2.0 Token is working, but you are lacking the Dynatrace identity and access management (IAM) framework permissions on the user you assign the Oauth 2.0 Token.
2. Create Grail Storage Admin Policy.
- Open the User menu and select Account settings (in latest Dynatrace, Account Management).
On the top navigation bar, go to Identity & access management > Policies. - Select Create policy, and set a name.
- Write the policy statements as seen in the image. Note that for bucket management you only need the storage:bucket-definitions statements (8,9,10,11). But this policy is intended to be used by an Admin so it's a bit more permissive.
- Save it and you are ready with the policy.
3. Create Storage Manager Group.
- Open the User menu and select Account settings (in latest Dynatrace, Account Management).
On the top navigation bar, go to Identity & access management > Groups. - Select Create group, and set a name.
- Under the Policies section click edit and assign the Policy Storage - Admin you created on the previous section Create Grail Storage Admin Policy.
- Save it and we are ready with the group and policy assignment.
4. Assign Storage Manager Group to your Grail Admin User.
- Open the User menu and select Account settings (in latest Dynatrace, Account Management).
On the top navigation bar, go to Identity & access management > People. - Search for the same user to which you assign the Oauth 2.0 Token.
- Edit the user and assign the Storage Manager Group you created in the previous step Create Storage Manager Group.
- All set.
5. Ready to invoke the API call.
- Go back to Postman and invoke the API call. You should now get Code 200 and a response like the image.
- Mark as New
- Subscribe to RSS Feed
- Permalink
‎23 Nov 2023 12:31 AM
Also I've updated the guide to reflect a way to troubleshoot your problem. Because I saw other post with the problem. Thanks for your feedback.