Facing 403 errors after getting token

hi

i have deployed boundary config via terraform:

provider "boundary" {
  addr                            = "http://10.13.37.112:9200"
  auth_method_id                  = "ampw_3pNqmP65oW"
  password_auth_method_login_name = "admin"
  password_auth_method_password   = "XX"
}

variable "users" {
  type    = set(string)
  default = [
    "user1",
    "user2"
  ]
}

variable "readonly_users" {
  type    = set(string)
  default = [
    "drone"
  ]
}

variable "backend_server_ips" {
  type    = set(string)
  default = [
    "10.13.37.5",
    "10.13.37.112"
  ]
}

resource "boundary_scope" "global" {
  global_scope = true
  description  = "Global"
  scope_id     = "global"
}

resource "boundary_scope" "home" {
  name                     = "home.exnet.lan"
  description              = "home.exnet.lan"
  scope_id                 = boundary_scope.global.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}

## Use password auth method
resource "boundary_auth_method" "password" {
  name     = "Home Passwords"
  scope_id = boundary_scope.home.id
  type     = "password"
}

resource "boundary_account" "users_acct" {
  for_each       = var.users
  name           = each.key
  description    = "User account for ${each.key}"
  type           = "password"
  login_name     = lower(each.key)
  password       = "password"
  auth_method_id = boundary_auth_method.password.id
}

resource "boundary_user" "users" {
  for_each    = var.users
  name        = each.key
  description = "User resource for ${each.key}"
  scope_id    = boundary_scope.home.id
}

resource "boundary_user" "readonly_users" {
  for_each    = var.readonly_users
  name        = each.key
  description = "User resource for ${each.key}"
  scope_id    = boundary_scope.home.id
}

resource "boundary_group" "readonly" {
  name        = "read-only"
  description = "Organization group for readonly users"
  member_ids  = [for user in boundary_user.readonly_users : user.id]
  scope_id    = boundary_scope.home.id
}

resource "boundary_role" "organization_readonly" {
  name        = "Read-only"
  description = "Read-only role"
  principal_ids = [boundary_group.readonly.id]
  grant_strings = ["id=*;type=*;actions=read"]
  scope_id    = boundary_scope.home.id
}

resource "boundary_role" "organization_admin" {
  name        = "admin"
  description = "Administrator role"
  principal_ids = concat(
    [for user in boundary_user.users: user.id]
  )
  grant_strings   = ["id=*;type=*;actions=create,read,update,delete"]
  scope_id = boundary_scope.home.id
}

resource "boundary_scope" "core_infra" {
  name                   = "Core infrastrcture"
  description            = "Home Networking"
  scope_id               = boundary_scope.home.id
  auto_create_admin_role = true
}

resource "boundary_host_catalog" "backend_servers" {
  name        = "backend_servers"
  description = "Backend servers host catalog"
  type        = "static"
  scope_id    = boundary_scope.core_infra.id
}

resource "boundary_host" "backend_servers" {
  for_each        = var.backend_server_ips
  type            = "static"
  name            = "backend_server_service_${each.value}"
  description     = "Backend server host"
  address         = each.key
  host_catalog_id = boundary_host_catalog.backend_servers.id
}

resource "boundary_host_set" "backend_servers_ssh" {
  type            = "static"
  name            = "backend_servers_ssh"
  description     = "Host set for backend servers"
  host_catalog_id = boundary_host_catalog.backend_servers.id
  host_ids        = [for host in boundary_host.backend_servers : host.id]
}

# create target for accessing backend servers on port :8000
resource "boundary_target" "backend_servers_service" {
  type         = "tcp"
  name         = "Backend service"
  description  = "Backend service target"
  scope_id     = boundary_scope.core_infra.id
  default_port = "8080"

  host_set_ids = [
    boundary_host_set.backend_servers_ssh .id
  ]
}

# create target for accessing backend servers on port :22
resource "boundary_target" "backend_servers_ssh" {
  type         = "tcp"
  name         = "Backend servers"
  description  = "Backend SSH target"
  scope_id     = boundary_scope.core_infra.id
  default_port = "22"

  host_set_ids = [
    boundary_host_set.backend_servers_ssh.id
  ]
}```

i then authenticate with the user and password to get a token

boundary authenticate password -auth-method-id=ampw_XXX -login-name=user1

i get a token but then i face 403 when trying to do anything

 $ curl -H "Authorization: Bearer $(boundary config get-token)" -H "Content-Type: application/json" https://boundary.exnet.lan/v1/targets/ttcp_XXXX -k
{"status":403, "code":"PermissionDenied", "message":"Forbidden."}

any ideas :frowning:

Thanks for trying Boundary!

Does boundary targets list show the targets you’re granted access to after authenticating?

my pleasure!
hrm odd doesnt seem to take the scope id

21:23 $ curl -H "Authorization: Bearer $(boundary config get-token)" -H "Content-Type: application/json" https://boundary.exnet.lan/v1/targets?scope_id=o_7Ywy6XUxt6 -k | jq

{
“status”: 400,
“code”: “InvalidArgument”,
“message”: “Improperly formatted identifier.”,
“details”: {
“request_fields”: [
{
“name”: “scope_id”,
“description”: “This field is required to have a properly formatted project scope id.”
}
]
}
}

Thanks, it looks like you’re using curl here. Can you use the CLI to verify that you can list targets first, that way we rule out any typo’s of constructions issues with the curl command.

21:51 $ boundary targets list -scope-id=o_7Ywy6XUxt6 -addr=https://XXX -tls-insecure
Error from controller when performing list on targets:  
Error information:
  Code:                InvalidArgument
  Message:             Improperly formatted identifier.
  Status:              400

  Field-specific Errors:
    Name:              -scope-id
      Error:           This field is required to have a properly formatted project scope id.

i was using the -output-curl-string client option to generate the curl line

Thanks @hijak - the error message here is poor, but here’s the real issue: you’re using an organization scope o_ and targets are only ever part of a project scope, p_.

Can you do a boundary scopes list -scope-id o_7Ywy6XUxt6, then use the returned project scope for this list command instead.

We’re doing a big revamp on our error handling, feel free to open a GitHub issue related to this error message as well.

no luck

$ boundary scopes list -scope-id o_7Ywy6XUxt6 -addr=https://boundary.exnet.lan -tls-insecure

Scope information:
  ID:             p_4304XC6WGh
    Version:      1
    Name:         Core infrastrcture
    Description:  Home Networking

$ boundary targets list -scope-id=p_4304XC6WGh -addr=https://boundary.exnet.lan -tls-insecure
Error from controller when performing list on targets:
Error information:
  Code:
  Message:             Forbidden
  Status:              403

i have made sure i reauthed before trying

Can you send the output of a read on your various roles? It seems you simply don’t have permission.

im able to read the roles

$ boundary roles read -id=r_i36TutoC0r -addr=https://boundary.exnet.lan -tls-insecure

Role information:
  Created Time:        Wed, 21 Oct 2020 20:38:19 BST
  Description:         Role created for administration of scope o_7Ywy6XUxt6 by user u_yAvnfAXovH at its creation time
  Grant Scope ID:      o_7Ywy6XUxt6
  ID:                  r_i36TutoC0r
  Name:                Administration
  Updated Time:        Wed, 21 Oct 2020 20:45:49 BST
  Version:             2

  Scope:
    ID:                o_7Ywy6XUxt6
    Name:              home.exnet.lan
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_DZjHc40rFS
      Type:         user
      Scope ID:     o_7Ywy6XUxt6
    ID:             u_yAvnfAXovH
      Type:         user
      Scope ID:     global

  Canonical Grants:
    id=*;type=*;actions=*

$ boundary roles read -id=r_PpHjulVpTZ -addr=https://boundary.exnet.lan -tls-insecure

Role information:
  Created Time:        Wed, 21 Oct 2020 20:38:20 BST
  Description:         Administrator role
  Grant Scope ID:      o_7Ywy6XUxt6
  ID:                  r_PpHjulVpTZ
  Name:                admin
  Updated Time:        Wed, 21 Oct 2020 20:38:23 BST
  Version:             3

  Scope:
    ID:                o_7Ywy6XUxt6
    Name:              home.exnet.lan
    Parent Scope ID:   global
    Type:              org

  Principals:
    ID:             u_qlloF3AOSB
      Type:         user
      Scope ID:     o_7Ywy6XUxt6
    ID:             u_DZjHc40rFS
      Type:         user
      Scope ID:     o_7Ywy6XUxt6

  Canonical Grants:
    id=*;type=*;actions=create,delete,read,update

i am u_DZjHc40rFS

Ah, you’re missing list from your actions allowed on your role. That would prevent you from listing targets. Can you add that to the role grants?

i added this and even tried it with a wildcard still didnt work

$ boundary roles read -id=r_i36TutoC0r -addr=https://boundary.exnet.lan -tls-insecure

Role information:
Created Time: Wed, 21 Oct 2020 20:38:19 BST
Description: Role created for administration of scope o_7Ywy6XUxt6 by user u_yAvnfAXovH at its creation time
Grant Scope ID: o_7Ywy6XUxt6
ID: r_i36TutoC0r
Name: Administration
Updated Time: Thu, 22 Oct 2020 16:00:36 BST
Version: 3

Scope:
ID: o_7Ywy6XUxt6
Name: home.exnet.lan
Parent Scope ID: global
Type: org

Principals:
ID: u_DZjHc40rFS
Type: user
Scope ID: o_7Ywy6XUxt6
ID: u_yAvnfAXovH
Type: user
Scope ID: global

Canonical Grants:
id=;type=;actions=create,delete,list,read,update
$ boundary targets list -scope-id p_4304XC6WGh -addr=https://boundary.exnet.lan -tls-insecure
Error from controller when performing list on targets:
Error information:
Code:
Message: Forbidden
Status: 403

That role is in scope o_7Ywy6XUxt6 with grants also scoped there (Grant Scope ID: o_7Ywy6XUxt6). You either need to change the grant scope ID for that role to p_4304XC6WGh or you need to create a role in that project scope. It’s just a scope mismatch!

AH yes! thank you jeff!!

i updated the scope id on the role to the project now i can list targets!!!

boundary roles update -grant-scope-id=p_4304XC6WGh -id=r_i36TutoC0r -addr=https://boundary.exnet.lan -tls-insecure
1 Like

is this something missing from my terraform config?

Yes, probably you need to either adjust one of your roles or add a new role.