IBM Cloud Docs
Why does my Satellite Config rollout fail and result in a not authorized error?

Why does my Satellite Config rollout fail and result in a not authorized error?

When you create and apply a Satellite Config subscription to create, update, or delete Kubernetes resources, the rollout fails and you see a 403 not authorized error.

The user ID that is used as the Satellite Config subscription identity (the subscription "owner") does not have the permissions required to make changes on the clusters that the rollout applies to. A Satellite Config rollout applies changes under the subscription owner's user ID, so if the listed subscription owner has lost their permissions -- such as by leaving the organization or changing to a new role -- the rollout fails. Or, the subscription identity is incorrectly synced and the cluster cannot verify the user ID permissions.

Change the subscription identity to use a different user ID. That user becomes the new subscription "owner", and the Satellite Config rollout uses their permissions.

  1. Verify that the current subscription identity belongs to a user that no longer has the necessary permissions. In the status section of the command output, find the Impersonate-user field and note the listed username, which might be listed as a single value or in the form of an email address, such as username@ibm.com. In the same status section, look for a 403 error with a message similar to the one in the example output.

    To find the subscription name, run ibmcloud sat subscription ls.

    oc get rr -n razeedeploy <subscription-name> -o yaml

    Example status section in the command output.

    status:
children:
    /api/v1/namespaces/default/configmaps/uploadedapp-cm-2:
    Impersonate-User: {}
    deploy.razee.io/Reconcile: "true"
last-modified: []
razee-logs:
    error:
    e2da78e5642c34f1b4f7916ab960a37571db4a9d: '1 errors occurred: Error applying
        file to kubernetes. StatusCode: 403 url: https://config.satellite.test.cloud.ibm.com/api/v1/channels/UploadedApp1/55a55aaa-5a5a-555a
        message: user does not have permissions to create resources of type ConfigMap'

  2. Change the subscription identity to a different user ID. Note that you can only update a subscription identity to use your own user ID, not the user ID of someone else. If you want someone else to be the subscription owner, they must run the command in their own account.

    ibmcloud sat subscription identity set --subscription <subscription-name>

  3. Try to apply the Satellite Config changes again.