anton-sidelnikov
commented
6 months ago Hello @zeljkobekcic how you use ak/sk, could you provide your code with auth? From our side everything works
Closed zeljkobekcic closed 6 months ago
anton-sidelnikov
commented
6 months ago Hello @zeljkobekcic how you use ak/sk, could you provide your code with auth? From our side everything works
RobinBially
commented
6 months ago Hi @anton-sidelnikov, here is a minimal code snippet leading to the error WAF.9001:
func login() (*golangsdk.ServiceClient, error) {
err := godotenv.Load()
authProvider = golangsdk.AKSKAuthOptions{
IdentityEndpoint: os.Getenv("IAM_IDENTITY_ENDPOINT"),
Domain: os.Getenv("OTC_DOMAIN_NAME"),
ProjectName: os.Getenv("OTC_TENANT_NAME"),
AccessKey: os.Getenv("ACCESS_KEY"),
SecretKey: os.Getenv("SECRET_KEY"),
}
provider, err := openstack.AuthenticatedClient(authProvider)
if err != nil {
return nil, err
}
opts := golangsdk.EndpointOpts{Region: "eu-de"}
wafClientTest, err := openstack.NewWAFV1(provider, opts)
if err != nil {
return nil, err
}
return wafClientTest, nil
}
func Test_ListCertificates(t *testing.T) {
client, _ := login()
pageWaf, err := waf.List(client, waf.ListOpts{}).AllPages()
if err != nil {
panic(err)
}
extracted, err := waf.ExtractCertificates(pageWaf)
funk.ForEach(extracted, func(cert waf.Certificate) {
fmt.Println("cert name: " + cert.Name + " | cert id: " + cert.Id)
})
}
dombisza
commented
6 months ago I was facing similar issue last week, what helped me is using only the sub-project's name in the AKSKAuthOptions instead of the domain. I was facing this issue with ELB certificates APIs. Not sure if this is applicable for your usecase.
opts := golangsdk.AKSKAuthOptions{
IdentityEndpoint: os.Getenv("OS_AUTH_URL"),
ProjectName: os.Getenv("OS_SUBPROJECT_NAME"),
AccessKey: os.Getenv("OS_AK"),
SecretKey: os.Getenv("OS_SK"),
}My guess is when you are using Domain the sdk builds URLs for the top level domain (eu-de project id) instead of the sub-domain.
RobinBially
commented
6 months ago I removed the Domain from the AKSKAuthOptions and now it is working.
zeljkobekcic
commented
6 months ago I can confirm this too. I guess this solves this issue.
Hello,
we are using this project in two other projects:
We recently observed, that when authenticating with AK/SK we are not able to perform List operation anymore. We did not verify other operations. We observed this on ECS, ELB and WAF.
The error message which we receive are:
"Bad request with: [GET https://elb.eu-de.otc.t-systems.com/v3/CENSORED/elb/certificates], error message: {"error_msg":"URL's projectId is not equal token's projectId.","error_code":"SYS.0400","request_id":"1013199723921eb4241d1fd72c903d1a"}Authentication Failed, error message: {\"badRequest\":{\"message\":\"Malformed request URL: URL's project_id 'CENSORED' doesn't match Context's project_id 'null'\",\"code\":\"401\"}}Authentication Failed, error message: {"error_msg": "Invalid token. Project id don't match","error_code":"WAF.9001"}"Authentication Failed, error message: {\"code\":401,\"element\":\"Unauthorized\",\"message\":\"User is not correctly authenticated\",\"details\":{\"details\":\"Authenticate failed.\",\"code\":\"ces.0015\"}}"This does not occur when authenticating with username/password on both projects.
Contrary to the error messages, we are providing the project id when creating a client.
The used version on the projects are:
Can you verify this?
Is there something we need to pay attention to, when creating the client with AK/SK? This was not the case around 06.2023.
The thing which is troubling me to debug this is the last error message from CES Service.
Thank you very much Have a nice day
@RobinBia