cf admin does not have necessary scopes to assign SpaceDeveloper role to a service account

Products

VMware Tanzu Platform

Issue/Introduction

You may be accustomed to assigning roles to ordinary user, but if you try to assign a similar role to a service account, you may see this error:

cf set-space-role generic_client <MY ORG> <MY SPACE> --client

Assigning role SpaceDeveloper to user generic_client in org <MY ORG> / space <MY SPACE> as admin ....
You are not authorized to perform the requested action.
FAILED.

If you attempt this with the -v (verbose) option, you may see the following:

REQUEST:
GET /oauth/clients/generic_client
RESPONSE:
HTTP/1.1 403 Forbidden

error: Insufficient_scope
error_description: insufficient scope for this resource
scope: "uaa.admin, clients.read, clients.admin, zones.uaa.admin"

The following command should reveal that the admin user does indeed lack the scopes above (uaa.admin, clients.read, clients.admin, zones.uaa.admin):

uaa get-user admin | jq -re '.groups | sort_by(.display)[].display'

Environment

Tanzu Application Service (TAS, all versions)

Resolution

A verified workaround that enables you to assign roles to service accounts is to add clients.read to the cf client scopes and add the admin account to the clients.read group (uaac member add clients.read admin). Subscribe to this article to receive updates on the issue being fixed in a new release of Tanzu Application Service.

Steps to Add clients.read to CF Client Scopes

Log in to the Cloud Foundry CLI:

Ensure you have the Cloud Foundry CLI (cf) installed. If not, download and install it from the VMware Tanzu documentation.
Log in to your Tanzu Cloud Foundry environment as an admin user with UAA management permissions:
bash
```
cf login -a <API_ENDPOINT> -u <ADMIN_USERNAME> -p <PASSWORD> --skip-ssl-validation
```
Replace <API_ENDPOINT> with your TAS API endpoint (e.g., api.sys.example.com), <ADMIN_USERNAME> with your admin username, and <PASSWORD> with your password. Use --skip-ssl-validation only if your environment uses self-signed certificates.

Verify UAA Admin Access:

The clients.read scope is managed by the UAA server, and modifying client scopes requires a user or client with the clients.admin or uaa.admin scope.
Check if your user has the necessary permissions by running:
```
bash

cf curl /v2/users/$(cf user-guid)/permissions
```

If you’re modifying an existing client, retrieve its details using the UAA CLI (uaac):

Target your UAA server and log in:
```
uaac target <UAA_ENDPOINT>
uaac token client get <ADMIN_CLIENT_ID> -s <ADMIN_CLIENT_SECRET>
```
Replace <UAA_ENDPOINT> with your UAA endpoint (e.g., https://uaa.sys.example.com), <ADMIN_CLIENT_ID> with an admin client ID, and <ADMIN_CLIENT_SECRET> with its secret.
List existing clients to find the one you want to modify:
```
uaac clients
```

Add the clients.read Scope to the Client:

For an existing client, update its scopes using uaac:

uaac client update <CLIENT_ID> --scope "existing.scope clients.read"

Replace <CLIENT_ID> with the client ID and append clients.read to the existing scopes (space-separated). For example, if the client already has cloud_controller.read, the command would be:

uaac client update my-client --scope "cloud_controller.read clients.read"

 

For a new client, register it with the clients.read scope:
uaac client add <CLIENT_ID> \
  --name <CLIENT_NAME> \
  --secret <CLIENT_SECRET> \
  --scope "clients.read" \
  --authorized_grant_types "client_credentials" \
  --authorities "clients.read"Replace <CLIENT_ID>, <CLIENT_NAME>, and <CLIENT_SECRET> with your desired values. The authorized_grant_types can include client_credentials for machine-to-machine authentication or other grant types like authorization_code for user-based flows.