Error 403 Displayed During Application Deployment That Requires CCE Resources, Indicating Insufficient Permission

Symptoms

1. When the CCE API is called during application deployment or pipeline deployment, error 403 and the message Policy doesn't allow cce:cluster:get tb performed are displayed.
2. The error message The IAM user is not authorized to access the API is displayed when the pipeline runs a Kubernetes application.

Cause Analysis

You do not have permissions to view and execute CCE deployment.

Solution

Use an account with the required CCE permissions and delegate your AK/SK to the account used for application deployment. The following uses the Kubernetes application as an example.

1. Edit the application, select Authorized User, and create an authorized IAM user.
2. In the displayed Create Service Endpoint: IAM dialog box, enter the AK/SK of the account authorized to deploy CCE. (For details about how to create a service endpoint, see "Creating an IAM User Service Endpoint".)
3. Use the new service endpoint and save the task.
4. Choose Settings > General > Service Endpoints of the current project, find the created service endpoint, and switch to the Permissions tab page.
5. Enable the View permission for the role to which the account that conducts application deployment belongs.