Failed to create vSphere Namespace with HTTP Error 403 in Data Services Manager
search cancel

Failed to create vSphere Namespace with HTTP Error 403 in Data Services Manager

book

Article ID: 411363

calendar_today

Updated On:

Products

VMware Data Services Manager

Issue/Introduction

When using the VMware Data Services Manager Plug-in in the vSphere Client, you might be blocked from creating a Supervisor infrastructure policy because of a 403 error, and as a result, you cannot use Supervisor for your workloads.

Environment

Data Service Manager 9.0.0.0

Data Service Manager 9.0.1.0

Cause

The problem occurs because the Supervisor does not grant the necessary permissions for the service account to list namespaces and VMware Data Services Manager blocks the policy creation with an error in the following format.

Failed to filter Supervisor namespaces with namespace inventory Failed to fetch vCenter Supervisor inventory: Failure executing: GET at: https://###.###.###.###:443/api/v1/namespaces. Message: namespaces is forbidden: User "sso:##########[email protected]" cannot list resource "namespaces" in API group "" at the cluster scope. Received status: Status(apiVersion=v1, code=403, details=StatusDetails(causes=[], group=null, kind=namespaces, name=null, retryAfterSeconds=null, uid=null, additionalProperties={}), kind=Status, message=namespaces is forbidden: User "sso:##########@vsphere.local" cannot list resource "namespaces" in API group "" at the cluster scope, metadata=ListMeta(_continue=null, remainingItemCount=null, resourceVersion=null, selfLink=null, additionalProperties={}), reason=Forbidden, status=Failure, additionalProperties={}).

Resolution

  1. Log in by using an SSH client to the VMware Data Services Manager appliance as root.

  2. Find the names of service account users and passwords by running the following command.

     
    kg get secret active-svc-account -n default -o jsonpath="{.data.username}" | base64 --decode kg get secret active-svc-account -n default -o jsonpath="{.data.password}" | base64 --decode kg get secret standby-svc-account -n default -o jsonpath="{.data.username}" | base64 --decode kg get secret standby-svc-account -n default -o jsonpath="{.data.password}" | base64 --decode

  3. Using the credentials from Step 2, log in to the vSphere Client as one of the service account users.

  4. Navigate to Supervisor Management, click the Supervisors tab, and click the name of the Supervisor you are using.

  5. On the Permissions tab, edit both service account users from Step 2 so that they have the relevant domain (example: vsphere.local), a DSM Administrator role, and an active Propagate to children option.

  6. For both users, verify that the Defined In column states This object and its children.

 

Powered by Wolken Software