My Oracle Support Banner

CLI for the Container Engine for Kubernetes Service Fails With "NotAuthorizedOrNotFound" Error (Doc ID 2810654.1)

Last updated on OCTOBER 04, 2021

Applies to:

Oracle Cloud Infrastructure - Oracle Container Engine for Kubernetes - Version N/A and later
Information in this document applies to any platform.

Symptoms

A non-admin user attempted to create the OKE Kubeconfig YAML for a cluster using OCI CLI in a given compartment and it failed with "NotAuthorizedOrNotFound" and 404 error, as seen in the below example:


$ oci ce cluster create-kubeconfig --cluster-id <cluster ocid> --file $HOME/.kube/configFile --region <region name> --token-version 2.0.0
ServiceError:
{
  "code": "NotAuthorizedOrNotFound",
  "message": "Authorization failed or requested resource not found.",
  "opc-request-id": "<opc request id number>",
  "status": 404
}

For reference: https://docs.oracle.com/en-us/iaas/tools/oci-cli/2.17.0/oci_cli_docs/cmdref/ce/cluster/create-kubeconfig.html

 

The following roles are assigned to group OKE_GRP (example), and the user assigned to that group:

Allow dynamic-group OKE_Dynamic_GRP to use keys in compartment <compartment name>
allow group OKE_GRP to use clusters in compartment id <compartment ocid> where target.cluster.id ='<cluster ocid>'
Allow group OKE_GRP to use clusters in compartment <compartment name>
Allow group OKE_GRP to read cluster-work-requests in compartment <compartment name>
Allow group OKE_GRP to use cluster-node-pools in compartment <compartment name>
Allow group OKE_GRP to read instance-family in compartment <compartment name>
Allow group OKE_GRP to read subnets in compartment <compartment name>
Allow group OKE_GRP to read virtual-network-family in compartment <compartment name>
Allow group OKE_GRP to read load-balancers in compartment <compartment name>
Allow group OKE_GRP to read vnics in compartment <compartment name>
Allow group OKE_GRP to read compartments in compartment <compartment name>
Allow group OKE_GRP to read repos in compartment <compartment name>
Allow group OKE_GRP to read repos in tenancy where all {target.repo.name = /<repo name>*/}

 

The OCI CLI configuration is configured properly on the  client side (Windows or Linux client machine).

Changes

 N/A

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Symptoms
Changes
Cause
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.