cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PostMan and OAuth 2.0

Ellery
Guide

Hello, nice to ask again. I have the following issue: I need to create a new bucket to manage log retention. To do this, I followed the guide, but I'm encountering issues with OAuth 2.0 permissions. I'm searching within the Dynatrace API Swagger for the required permissions. Can you help me identify the necessary permissions?"

Ellery_0-1700604094278.png

I create the OAuth with the permissions specified by OAuth 2.0, and I generate the token from Postman. However, upon execution, I still lack the necessary permissions. What could be the issue?

Ellery_1-1700604283867.png

Furthermore, I created the precise permissions and generated another OAuth with all the storage permissions. I created tokens with both OAuths and tested them separately, but with the same result.

Ellery_2-1700604474782.png

The token is successfully created, but upon executing the query, it still complains about a lack of permissions. Am I missing any other permission?

 

 

 

5 REPLIES 5

DanielS
DynaMight Leader
DynaMight Leader

Hello @Ellery The permission not met means that the user executing the API call needs to have the policy assigned with at least the storage:bucket-definitions permissions:

ALLOW storage:events:read;
ALLOW storage:metrics:read;
ALLOW storage:logs:read;
ALLOW storage:entities:read;
ALLOW storage:bizevents:read;
ALLOW storage:system:read;
ALLOW storage:buckets:read;
ALLOW storage:bucket-definitions:read;
ALLOW storage:bucket-definitions:write;
ALLOW storage:bucket-definitions:delete;
ALLOW storage:bucket-definitions:truncate;

 I leave you a wide policy to apply to a "Storage Admin Group" to have full control over grail buckets.

 

The true delight is in the finding out rather than in the knowing.

DanielS
DynaMight Leader
DynaMight Leader

I also leave you the link to this PRO TIP.

Maybe it will be useful to you.

The true delight is in the finding out rather than in the knowing.

Ellery
Guide

First of all, thank you very much for the response, but it seems that there's something I'm doing wrong, as even though the API responds, it is not the expected result from the API.

Ellery_1-1700658189758.png

 

 

 

DanielS
DynaMight Leader
DynaMight Leader

Hello @Ellery I'm going to try to help you with a very detailed guide.

1. Troubleshooting Grail IAM Permissions.

DanielS_0-1700695087937.png

At this point, if you are receiving Required permissions not met it means that the Oauth  2.0 Token is working, but you are lacking the Dynatrace identity and access management (IAM) framework permissions on the user you assign the Oauth 2.0 Token.

2. Create Grail Storage Admin Policy.

DanielS_1-1700695712062.png

  1. Open the User menu and select Account settings (in latest Dynatrace, Account Management).
    On the top navigation bar, go to Identity & access management > Policies.
  2. Select Create policy, and set a name.
  3. Write the policy statements as seen in the image. Note that for bucket management you only need the storage:bucket-definitions statements (8,9,10,11). But this policy is intended to be used by an Admin so it's a bit more permissive.
  4. Save it and you are ready with the policy.

3. Create Storage Manager Group.

DanielS_2-1700696776667.png

 

  1. Open the User menu and select Account settings (in latest Dynatrace, Account Management).
    On the top navigation bar, go to Identity & access management > Groups.
  2. Select Create group, and set a name.
  3. Under the Policies section click edit and assign the Policy Storage - Admin you created on the previous section Create Grail Storage Admin Policy.
  4. Save it and we are ready with the group and policy assignment.

4. Assign Storage Manager Group to your Grail Admin User.

DanielS_3-1700696984127.png

 

  1. Open the User menu and select Account settings (in latest Dynatrace, Account Management).
    On the top navigation bar, go to Identity & access management > People.
  2. DanielS_6-1700697149006.pngSearch for the same user to which you assign the Oauth 2.0 Token. DanielS_6-1700697149006.png
  3. Edit the user and assign the Storage Manager Group you created in the previous step Create Storage Manager Group.
  4. All set.

5. Ready to invoke the API call.

DanielS_8-1700697413508.png

  1. Go back to Postman and invoke the API call. You should now get Code 200 and a response like the image.
The true delight is in the finding out rather than in the knowing.

DanielS
DynaMight Leader
DynaMight Leader

Also I've updated the guide to reflect a way to troubleshoot your problem. Because I saw other post with the problem. Thanks for your feedback.

The true delight is in the finding out rather than in the knowing.

Featured Posts