Solved: Re: Error HTTP 403 deploying configuration with Monaco

erh_inetum · ‎22 Jan 2024

Hi,

We are using Monaco to deploy a configuration.

Firstly, we have validated the configuration using "--dry-run" option. It got successfully:

2024-01-22T11:41:31+01:00 info Validation finished without errors

Then, we launched the deploy but we got the following error:

2024-01-22T11:26:26+01:00 info Projects to be deployed (1):
2024-01-22T11:26:26+01:00 info - project_XXX
2024-01-22T11:26:26+01:00 debug Deploying 748 configurations.
2024-01-22T11:26:26+01:00 info Environments to deploy to (1):
2024-01-22T11:26:26+01:00 info - project_XXX
2024-01-22T11:26:26+01:00 info Deploying configurations to environment `project_XXX`...
2024-01-22T11:26:26+01:00 debug Concurrent Request Limit: 5, 'MONACO_CONCURRENT_REQUESTS' environment variable is NOT set, using default value
2024-01-22T11:26:26+01:00 info Deploying config project_XXX:request-attributes:xxxxxxxxxxxxxxxx
2024-01-22T11:26:26+01:00 error project_XXX(default) project_XXX:request-attributes:xxxxxxxxxxxxxxxx deploy.configDeployErr Failed to create DT object accountname (HTTP 403)!
Response was: {"error":{"code":403,"message":"Token is missing required scope. Use one of: CaptureRequestData (Capture request data)"}}
Error: errors during Deployment

We suspect that our user hasn´t allow necessary privileges to deploy the configuration, because when we access to the tenant URL we see in the configuration on Request Attribute section the message: "Missing permissions to create or edit request attributes" (screenshot attached)

Could we right?

We are trying to upload a configuration which was deployed on a Managed environment to a SaaS environment.

Thanks in advance.

Regards,

Elena.

Mohamed_Hamdy · ‎22 Jan 2024

Hi @erh_inetum ,

the token scope is missing, please make sure that you have the right scope for the token from the SaaS tenant (which you are deploying the configurations)

Response was: {"error":{"code":403,"message":"Token is missing required scope. Use one of: CaptureRequestData (Capture request data)"}}

Certified Dynatrace Professional | Certified Dynatrace Services Delivery - Observability & CloudOps | Dynatrace Partner - yourcompass.ca

erh_inetum · ‎22 Jan 2024

Hi @Mohamed_Hamdy Thanks for your answer.

A question: it's possible to use the same token for deploy and download commands, right?
If I try to download the configuration, I can download it perfectly. But I get error when I try to deploy, as you can see.

Regards,

Elena.

Mohamed_Hamdy · ‎22 Jan 2024

Hi @erh_inetum ,

you can't use the same token, the token used to download the configurations is for the Managed environment and now you want to deploy these configurations on the SaaS tenant, then you need to create a new token on the SaaS tenant. also, make sure that the environment URL is changed in the manifest.yaml

Certified Dynatrace Professional | Certified Dynatrace Services Delivery - Observability & CloudOps | Dynatrace Partner - yourcompass.ca

erh_inetum · ‎22 Jan 2024

Hi @Mohamed_Hamdy

It's just we've done. I detail the steps:

1.- Create token for test and prod Managed environments and SaaS environment

2.- Download the configurations for the two Managed environments (test and prod) and for the SaaS environments using each own token --> The configuration was downloaded successfully.

3.- Upload test Managed environment configuration in SaaS tenant --> We receive HTTP 403 error which is the same error we receive in the tenant as you can see on the screenshot attached.

Let me know if something is not clear.

Thanks,

Elena.

Mohamed_Hamdy · ‎22 Jan 2024

Hi @erh_inetum ,

is it possible to share the scope of the token you've created to deploy the configurations on the SaaS tenant?

Certified Dynatrace Professional | Certified Dynatrace Services Delivery - Observability & CloudOps | Dynatrace Partner - yourcompass.ca

erh_inetum · ‎22 Jan 2024

Hi @Mohamed_Hamdy

These are the scopes of the token:

API v2 scopes
Read network zones
Write network zones
Read settings
Write settings
Read SLO
Write SLO
API v1 scopes
Access problem and event feed, metrics, and topology
Read configuration
Write configuration

Thanks a lot for your help.

Regards,

Elena.

erh_inetum · ‎22 Jan 2024

Hi @Mohamed_Hamdy ,

You are right. Capture request data scope is missing.

The problem is our user hasn´t privileges to include this scope. So we are going to request to our customer that increasing our privileges to do this.

Thanks a lot for your help.

Regards,

Elena.

cullinflynn · ‎09 Oct 2024

How do you scope a token with this permission? I'm not seeing it--even as an admin--when trying to create a new token.

Do I need to use another method, like request a token via OAuth2 Client?

erh_inetum · ‎10 Oct 2024

Hi @cullinflynn ,

As far as I remember, you need to belong to "Confidential data admin" user group environment permission.

As you can see on this link permissions to allow configuration of request-attribute capture rules "Manage capturing of sensitive request data" permission is needed:

And this account permission is given in "Confidential data admin" group:

Probably you can´t see this scope because you don´t need the required environment permissions.

Hope it helps.

Regards,

Elena.