Symptoms
Logging in to the Event Streams UI as a Keycloak user or an Identity and Access Management (IAM) user fails with the message 403 Not authorized, indicating that the user does not have permission to access the Event Streams instance.
Note: Identity and Access Management (IAM) authentication is only available on the OpenShift Container Platform with IBM Cloud Pak foundational services 3.x releases. It is not supported on other Kubernetes platforms.
Causes
To access the Event Streams UI:
-
The IAM user must either have the
Cluster Administratorrole or theAdministratorrole and be in a team with a namespace resource added for the namespace containing the Event Streams instance. If neither of these applies, the error will be displayed. -
The Keycloak user must either have the
eventstreams-adminrole or theadminrole and be in a team with a namespace resource added for the namespace containing the Event Streams instance. If neither of these applies, the error will be displayed.
Resolving the problem
Assign access to users with an administrator role by ensuring they are in a group with access to the correct namespace.
- If you configured Event Streams with Keycloak, assign access to the
eventstreams-adminor theadminrole. - If you configured Event Streams with IAM, assign the
Cluster Administratorrole or theAdministratorrole.