Customer gets 403 Error When Accessing Instance

Owned by Yuki Jung, created
Last updated: Nov 09, 2020 by Edwin Elia
1 min read

Problem

User tries to access their CDF instance by clicking on “View instance” in pantheon UI but they get a 403 error, even though they have Project Editor or Owner role assigned via IAM. Currently root cause is unknown, so please follow these steps for debugging!

Debugging steps

Verify their permissions

  1. Ask for screenshot of the IAM permission for the user(s).

  2. Ask customer to try testIAMPolicy to verify they have the proper permissions:

    1. Navigate to https://cloud.google.com/data-fusion/docs/reference/rest/v1beta1/projects.locations.instances/testIamPermissions

    2. Click on “try it”

    3. Under Request parameters, put "projects/<fill in project here>/locations/<instance location>/instances/<fill in CDF instance name here>" for the resource.

    4. Put "datafusion.instances.get" permission in the request body (see example https://screenshot.googleplex.com/6Qksfkc33VzaA3M).

    5. Click “Execute”.

    6. Customer should see a 200 response with “datafusion.instances.get” under permissions.

Check if the issue is specific to Data Fusion or also with other resources

If the user is also having same error for AI Notebooks, problem could be with inverting proxy.

Try accessing instance in an incognito window

When they do this, specify that they need to make sure they don’t have any other incognito windows open at the same time or else they will see the 403 error.

Try deleting cookie for the CDF url

Related articles