(403) Forbidden Error when using Create Online Dev. Environment

[cegekaJG]

I am receiving an error when trying to create a new online environment, even though the app authentication is a success. The following is the log from the step Create Developer Environment:

Run microsoft/AL-Go-Actions/CreateDevelopmentEnvironment@v2.4
Run try { D:\a\_actions\microsoft\AL-Go-Actions\v2.4\CreateDevelopmentEnvironment/CreateDevelopmentEnvironment.ps1 -actor $ENV:_actor -token $ENV:_token -parentTelemetryScopeJson $ENV:_parentTelemetryScopeJson -environmentName $ENV:_environmentName -adminCenterApiCredentials $ENV:_adminCenterApiCredentials -reUseExistingEnvironment ($ENV:_reUseExistingEnvironment -eq 'Y') -directCommit ($ENV:_directCommit -eq 'Y') } catch { Write-Host "::Error::Unexpected error when running action ($($_.Exception.Message.Replace("`r",'').Replace("`n",' ')))"; exit 1 }

Cloning into 'cicd-test'...
Switched to a new branch 'uci44hvp.ml4'
Downloading BcContainerHelper latest version from CDN
BcContainerHelper version 4.0.14
BC.HelperFunctions emits usage statistics telemetry to Microsoft
Reading .AL-Go\settings.json
Analyzing repository
Checking project dependencies
Checking appDependencyProbingPaths
...........
Authenticated from 172.177.[188](https://github.com/cegekaJG/cicd-test/actions/runs/4543928614/jobs/8009362958#step:7:190).107 as user ******** (********@*****.com)
Authenticated to common, using tenant id 42151053-0193-47aa-9e81-effd81f772cc
Error: CreateDevelopmentEnvironment action failed. Error: The remote server returned an error: (403) Forbidden. Forbidden  (ms-correlation-x = 0576d82a-69ba-38c6-5430-b4eff0db1f1f) Stacktrace: at Get-BcEnvironments, C:\Users\runneradmin\AppData\Local\Temp\1ce72797-9913-462f-a2c5-cfc2321a265a\BcContainerHelper\Saas\Get-BcEnvironments.ps1: line 32 at CreateDevEnv, D:\a\_actions\microsoft\AL-Go-Actions\v2.4\AL-Go-Helper.ps1: line 1621 at <ScriptBlock>, D:\a\_actions\microsoft\AL-Go-Actions\v2.4\CreateDevelopmentEnvironment\CreateDevelopmentEnvironment.ps1: line 40 at <ScriptBlock>, D:\a\_temp\5818f785-df57-4dff-982c-84468e224265.ps1: line 2 at <ScriptBlock>, <No file>: line 1
AL-Go action ran: CreateDevelopmentEnvironment Telemetry Correlation Id: a58b1bc6-3bdf-4e02-9126-ee38eff48ccf
Removing BcContainerHelper
Error: Process completed with exit code 1.

[freddydk]

If looks like the user used for the authentication doesn't have access to get environments??? How did you create the authentication context?

[cegekaJG]

I get prompted to enter my credentials with the regular login window. I know the username and password are valid because I can use them to create a container with Windows authentication using BcContainerHelper directly.

[freddydk]

Does your Windows Credentials have access to the Business Central Admin Center? Maybe we should setup a Teams call ? It seems like you have some challenges, which we might be able to resolve faster this way. If you invite freddyk at microsoft dot com on Friday 10:00 or 11:00 - then we can maybe get to the bottom of things?

[cegekaJG]

Friday should work, thanks.

[freddydk]

I don't have your email, so if you set something up - I will talk to you there.

[cegekaJG]

Oh, my mistake - I've sent you an invite.

[cegekaJG]

I'd like to reopen this issue, as it's still occurring for me. Here is the full log:

   _____ _                 _   _____             ______
  / ____| |               | | |  __ \           |  ____|
 | |    | | ___  _   _  __| | | |  | | _____   __ |__   _ ____   __
 | |    | |/ _ \| | | |/ _` | | |  | |/ _ \ \ / /  __| | '_ \ \ / /
 | |____| | (_) | |_| | (_| | | |__| |  __/\ V /| |____| | | \ V /
  \_____|_|\___/ \__,_|\__,_| |_____/ \___| \_/ |______|_| |_|\_/

This script will create a cloud based development environment (Business Central SaaS Sandbox) for your project.
All apps and test apps will be compiled and published to the environment in the development scope.
The script will also modify launch.json to have a "Cloud Sandbox (<name>)" configuration point to your environment.

Environment name
----------------
Please enter the name of the environment to create (default J******-sandbox) ******-sandbox
******-sandbox selected

What if the environment already exists?
---------------------------------------
a Recreate environment
b Reuse existing environment

Select behavior (default a)
Recreate environment selected

Downloading BcContainerHelper latest version from CDN
Using 7zip
BcContainerHelper version 5.0.1
BC.HelperFunctions emits usage statistics telemetry to Microsoft
Running on PowerShell 7
Checking type
Checking appFolders, testFolders and bcptTestFolders
Application Dependency 18.0.0.0
Updating app- and test Dependencies
Analyzing Test App Dependencies
Checking project dependencies
Checking appDependencyProbingPaths
WARNING: No test apps found in testFolders in .AL-Go\settings.json
WARNING: No apps found in appFolders in .AL-Go\settings.json
Repository is empty
Attempting authentication to https://api.businesscentral.dynamics.com/user_impersonation offline_access using device login...
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ****** to authenticate.
Waiting for authentication.....
Authenticated from 20.234.83.3 as user J****** (J******@cegeka.com)
Authenticated to common, using tenant id 42151053-0193-47aa-9e81-effd81f772cc
Get-BcEnvironments Telemetry Correlation Id: e8b56a86-f691-46ab-a8e3-4031cb298371
Removing BcContainerHelper
Error: Response status code does not indicate success: 403 (Forbidden).
Stacktrace: at Get-BcEnvironments, C:\Users\J******\AppData\Local\Temp\d5541b9b-dd2c-434f-bd89-050cb8f03560\BcContainerHelper\Saas\Get-BcEnvironments.ps1: line 44
at CreateDevEnv, C:\Users\J******\AppData\Local\Temp\tmp772D.tmp.ps1: line 1637
at <ScriptBlock>, C:\Users\J******\Documents\clients\Cilit\CLT.Base\.AL-Go\cloudDevEnv.ps1: line 75
at <ScriptBlock>, <No file>: line 1

[freddydk]

If you use the latest BcContainerHelper and run this code locally:

$authContext = New-BcAuthContext -includeDeviceLogin
Get-BcEnvironments -bcAuthContext $authContext

What happens? Do you get a list of your environments?

[freddydk]

The problem is likely that you have a secret, where the value is your username. Do you know which secret this is?

[cegekaJG]

What happens? Do you get a list of your environments?

No, I am getting the same error as before. And this repository's only secret is that of the GitHub workflow token.

[freddydk]

OK, so you manually replaced your user name with J** ?

The credentials you are using, is that the AAD credentials, which gives you access to The Business Central Admin Center?

[cegekaJG]

Yes, I replaced it manually. Reading the guide again, it says that step #7 has to have been completed. Does that mean it's not possible to create a sandbox using AL Go without an Azure Keyvault?

[freddydk]

You don't need a keyvault

Please answer my question, which I also asked 2 weeks ago: Does your credentials give you access to the Business Central Admin Center?

[freddydk]

like:

[freddydk]

Likely this URL: https://businesscentral.dynamics.com/42151053-0193-47aa-9e81-effd81f772cc/admin

[cegekaJG]

Okay, I don't have permission. I'll try a different account.

[freddydk]

Which is likely the reason for this error:

Error: Response status code does not indicate success: 403 (Forbidden).