Symptoms:
- A cloud user is part of an AD group, and the group is added to a project. However, the user is not able to access the resources of that project when using API calls / Terraform.
The group is presented in the format group_name@domain@domain, however when the user runs the following command
curl --location --request POST 'https://console.cloud.vmware.com/csp/gateway/am/api/auth/api-tokens/authorize' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'api_token=refresh_token'
where
refresh_token is the API token of the user that is experiencing the project scope access issue. When you take the
id_token and paste it into a
JSON Web Token validation tool, under
group_names, the group appears as
group_name@domain.
- A custom role is assigned to a group, however the Cloud Assembly Users that are part of the group do not get the custom role permissions when calling APIs (or using Terraform) with access token acquired from the API token.