Not allowed to call POST /app/transactions Status: 401 (UNAUTHORIZED) ErrorCode: NotAllowed

MKD 0 Reputation points
2024-08-12T08:46:07.7733333+00:00

We have a Kubernetes cluster set up having multiple microservices as pod's.

A pod has methods to post/read confidential ledger.

And this is being run using azure managed identity.

Even though the managed identity has contributor access to the ledger, it is unable to post to ledger and we get :

Not allowed to call POST /app/transactions Status: 401 (UNAUTHORIZED) ErrorCode: NotAllowed

This is the managed identity of the agent pool used in K8 Cluster.

Could you please guide on how this could be achieved ?

Thanks

Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,082 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Nikhil Duserla 2,105 Reputation points Microsoft Vendor
    2024-08-19T15:57:00.9866667+00:00

    Hi @MKD,

    Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

    We understand from your query that you are experiencing an authorization issue with Azure Managed Identity (AMI) in your Kubernetes cluster. The error Not allowed to call POST /app/transactions Status: 401 (UNAUTHORIZED) ErrorCode: NotAllowed suggests that the Azure Managed Identity (AMI) is not properly authenticated or authorized to perform the POST operation on the ledger.

    Based on the error details you shared, I have shared troubleshooting steps that I felt will help resolve the issue you reported.

    Verify AMI Configuration: Ensure that the managed identity is correctly configured and assigned to the Azure Kubernetes Service (AKS) cluster.

    Check Azure Role-Based Access Control (RBAC): Verify that the managed identity has the necessary permissions to access the ledger. In this case, the contributor role should be sufficient.

    If you have any further queries, do let us know.


  2. Nikhil Duserla 2,105 Reputation points Microsoft Vendor
    2024-08-21T05:29:17.44+00:00

    Hi @MKD,

    Thank you for sharing the information.

    When you use a managed identity to access a Confidential Ledger, it does not receive automatic access to the ledger. You must manually assign the appropriate permissions to the managed identity.

    To achieve this, you should include the managed identity in the ledger’s permission list and specify the level of access required (such as Reader, Writer, or Administrator).

    Assign the Managed Identity to the AKS Cluster and grant the Managed Identity Permissions to the Confidential Ledger.

    Create a Kubernetes secret to store the Confidential Ledger credentials and create a Kubernetes pod that uses the managed identity to access the Confidential Ledger.

    If you have any further queries, do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.