Error: "ACCESS_TO_RESOURCE_IS_FORBIDDEN" in UI during Landing Zone configuration or Solution Add-On deployment
search cancel

Error: "ACCESS_TO_RESOURCE_IS_FORBIDDEN" in UI during Landing Zone configuration or Solution Add-On deployment

book

Article ID: 440675

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Solution Add-On Management configuration may fail with HTTP 403 Forbidden errors during Landing Zone setup.

Affected environments may observe:

  • Landing Zone configuration fails in the UI with:

    ACCESS_TO_RESOURCE_IS_FORBIDDEN

  • Requests to:
    /cloudapi/1.0.0/entityTypes/urn:vcloud:type:vmware:solutions_organization:1.0.0

    return HTTP 403

  • VCD logs contain errors similar to:

    OperationDenied: Cannot find a type with ID urn:vcloud:type:vmware:solutions_organization:1.0.0

Environment

VMware Cloud Director 10.6.x

Cause

The issue has been observed where the environment reports that Solution Add-On initialization previously completed successfully, however the required backend Solution Add-On entity definitions are no longer present.
This results in backend authorization and entity resolution failures during Landing Zone or Solution Add-On operations.

Resolution

  1. Verify VCD cell health:

    service vmware-vcd status

  2. Review VCD logs for the missing Solution Add-On entity type:

    grep -Ri "solutions_organization\|Cannot find a type with ID" /opt/vmware/vcloud-director/logs/

  3. Confirm the error resembles:

    OperationDenied: Cannot find a type with ID urn:vcloud:type:vmware:solutions_organization:1.0.0

  4. Carry out a database backup before carrying out any modifications.

    Create Database Backup

  5. Reset the Solution Add-On bootstrap state:
    Run the following command on primary cell

    cell-management-tool manage-config -n "vmware.solutions.add.on.bootstrap.completed" -v "no"

  6. Reset the Solution Add-On initialization generation value:

    cell-management-tool manage-config -n "vmware.solutions.add.on.initialize.generation" -v "0"

  7. Restart the VMware Cloud Director service on all cells:

    cell-management-tool cell -i $(service vmware-vcd pid cell) -s

    Then to startup the service again run the command:

    systemctl start vmware-vcd

  8. Relog in to UI as system administrator
  9. Allow several minutes for Solution Add-On initialization tasks to complete. 
  10. After all cells are online, retry the Landing Zone / Solution Add-On workflow from the Provider Portal.
Powered by Wolken Software