Error 403 as a response while calling /iam-token/serviceids/ APIs

While calling /iam-token/serviceids/ APIs, you get 403 as a response.

Causes

The deployment of the old version of the Cloud Pak might not be properly cleaned up while you upgrading the Cloud Pak version. To know the reason for getting 403 as a response while calling /iam-token/serviceids/ APIs, enable auth-idp pod debug level traces and liberty traces by using the following steps:

  1. Open platform-auth-idp configmap to edit it by using the following command:

    oc edit cm platform-auth-idp

    After you run this command, the editor view of the configmap is displyed.

  2. In platform-auth-service container log:

    • Change the value of LOG_LEVEL_AUTHSVC parameter to debug.

      Note: By default, the value of LOG_LEVEL_AUTHSVC parameter is warning or info. Changing its value to debug provides you the exact cause of error 403 that you get while calling /iam-token/serviceids/ APIs.

    • Change the value of LIBERTY_DEBUG_ENABLED parameter to true to view liberty debug traces.

You might see the following trace sample. The sample displays the error, Authorization failed. User is not authorized.

[12/8/22 17:29:46:580 UTC] 00000099 id=00000000 com.ibm.cloud.iam.core.ServiceIdCore                         I filterServiceIdByUserNamespace crnNamespace namespace : cp4s
[12/8/22 17:29:46:580 UTC] 00000099 id=00000000 com.ibm.cloud.iam.core.ServiceIdCore                         I filterServiceIdByUserNamespace User namespace : cert-manager
[12/8/22 17:29:46:580 UTC] 00000099 id=00000000 com.ibm.cloud.iam.core.ServiceIdCore                         I filterServiceIdByUserNamespace User namespace : cp4s-sandbox
[12/8/22 17:29:46:580 UTC] 00000099 id=00000000 com.ibm.cloud.iam.core.ServiceIdCore                         I filterServiceIdByUserNamespace User namespace : cp4sec
[12/8/22 17:29:46:580 UTC] 00000099 id=00000000 com.ibm.cloud.iam.core.ServiceIdCore                         I filterServiceIdByUserNamespace User namespace : default
.
.
.
[12/8/22 17:29:46:588 UTC] 00000099 id=00000000 com.ibm.cloud.iam.core.ServiceIdCore                         I filterServiceIdByUserNamespace User namespace : services
[12/8/22 17:29:46:588 UTC] 00000099 id=00000000 com.ibm.cloud.iam.serviceid.rest.ServiceidsApi               1 listServiceid
com.ibm.cloud.iam.exception.authorization.AuthorizationServiceException: BXNIM0500E: Authorization failed. User is not authorized..
at com.ibm.cloud.iam.core.ServiceIdCore.filterServiceIdsByUserNamespace(ServiceIdCore.java:406)
at com.ibm.cloud.iam.core.ServiceIdCore.listServiceId(ServiceIdCore.java:353)

IMPORTANT: After performing the steps, restore the value of LOG_LEVEL_AUTHSVC and LIBERTY_DEBUG_ENABLED parameters value to its default values to prevent unintended adverse effects, including degraded performance and system instability.

Troubleshooting the issue

To troubleshoot the issue, restore the old namespace where Cloud Pak was deployed.