search

IBM / ibm-cos-sdk-python

ibm-cos-sdk-python
Apache License 2.0
46 stars 26 forks source link

ACCESS DENIED error #15

Closed jamesbeltonIBM closed 6 years ago

jamesbeltonIBM commented 6 years ago

I'm having real problems getting the simple 'list buckets' script to work using IAM. All I get is an 'ACCESS DENIED' error.

The code I am using is as follows - am running from the command line:

import ibm_boto3
from ibm_botocore.client import `Config`

# Constants for IBM COS values
COS_ENDPOINT = "https://s3.eu-gb.objectstorage.softlayer.net"
COS_API_KEY_ID = "xAwuDUgkyuvrbc-theRestOfMyKeyIGoesHere_s5a1C8S"
COS_AUTH_ENDPOINT = "https://iam.bluemix.net/oidc/token"
SERVICE_INSTANCE_ID = "e413e6bc-75da-Myyy-Svcs-InstanceID"

# Create resource
cos = ibm_boto3.resource("s3",
    ibm_api_key_id=COS_API_KEY_ID,
    ibm_service_instance_id=SERVICE_INSTANCE_ID,
    ibm_auth_endpoint=COS_AUTH_ENDPOINT,
    config=Config(signature_version="oauth"),
    endpoint_url=COS_ENDPOINT
)

for bucket in cos.buckets.all():
 print(bucket.name)

If I change the cos= part of the code to:

cos = ibm_boto3.resource("s3",
    endpoint_url=COS_ENDPOINT)

it works fine and it picks up my creds from my aws CLI installation. It's just when I try to use IAM creds I get access denied.

paul-carron commented 6 years ago

Your SERVICE_INSTANCE_ID looks a bit strange. Can you please check its correct?

If you take the below example of a credentials blob, you should use 65c5b3g2-7db5-4251-93a1-a7c33486d5e9 from the resource_instance_id as your SERVICE_INSTANCE_ID.

{
  "apikey": "xAwuDUgkyuvrbc-theRestOfMyKeyIGoesHere_s5a1C8S",
  "endpoints": "https://cos-service.bluemix.net/endpoints",
  "iam_apikey_description": "Auto generated apikey during resource-key operation for Instance - crn:v1:bluemix:public:cloud-object-storage:global:a/3c467df9e6d84b89065fd00be3065964:65c5b3f1-7db5-4251-93a1-a7c33486d5d8::",
  "iam_apikey_name": "auto-generated-apikey-e2d6c8db-6d8d-4d77-8ec4-9eb65f7b66f1",
  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Writer",
  "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/3c467df9e6d84b89065fd00be3065964::serviceid:ServiceId-b4b9b864-06f3-4b3c-815c-6ae2e1a14g05",
  "resource_instance_id": "crn:v1:bluemix:public:cloud-object-storage:global:a/3c467ce9e6d84b90065fd00be3065964:65c5b3g2-7db5-4251-93a1-a7c33486d5e9::"
}
jamesbeltonIBM commented 6 years ago

cheers @paul-carron - that works. I was pulling the similar value from iam_serviceid_crn in error, possibly because of the variable name it is given in the IBM Cloud docs. I might raise a change on that :) Thanks again!