Has your application with the IBM Watson service suddenly stopped working without any changes to its configuration?
The application probably uses HTTP basic authentication with username and password credentials; this is also called as a Cloud Foundry service credential, and you likely see 401: Unauthorised Error
in the application log:
This blog post will outline how to resolve the issue and get your application up and running with the Watson service again.
Solution
Once you migrate a Watson service instance to move it from its current Cloud Foundry org and space to a resource group, your new instance manages authentication with Cloud Identity and Access Management (IAM). IAM is an enhanced mechanism that uses API keys instead of username and password.
As a result, you need to change the application code, which authenticates to the Watson service with the IAM API key credential.
- Log in to IBM Cloud and open your Dashboard.
- Select Services in the Resource summary section > your Watson service instance > Service Credentials.
- Copy the API key in the Credentials section.
- Check your application code that authenticates to the Watson service with username and password credentials and replace it with the API key you copied from Step 3.
Example
The following Python code is using Basic Authentication to connect to the watsonx Assistant instance, and it may have failed with the 401 authentication error because the credential has deprecated.
Note that the username of the old Cloud Foundry service credential is a string other than apikey
in the above example.
Replace the username with the word apikey
and the password with the actual API key of the Watson service.
Below, you’ll see the updated version of the example code:
Or, if you use a later version of Watson SDK to manage the IAM authentication, you can use the following code in this example:
For different programming languages and Watson services, refer to the corresponding Watson SDK and API documents:
Summary
Update your applications to take advantage of the improved security that Cloud Identity and Access Management (IAM) affords. After you update your apps to use the new API key approach, you won’t need the Cloud Foundry service alias and can delete it. The username and password credentials have recently been disabled, and applications must be updated to use the IAM authentication method.
For more details about the migration of your Cloud Foundry instance and the new IAM authentication, see the following: