403 with Chronicle API Admin Role

[sat-tp]

Seeing 403 errors when using some methods on the CLI, despite being a Chronicle API Admin and using ADC with my own user.

data-table list and reference-list list works and returns content however methods such as rule list return Error: 'rules' and feed list returns a full 403 IAM permission denied error.

Does ADC/Auth for this support Workforce Identity Federated users?

[mihirvala-crestdata]

If your ADC has Chronicle API Admin (roles/chronicle.admin) IAM role, feed and rule command should work.

Currently CLI, only supports authentication through ADC.

have you tried revoking current auth once using gcloud auth revoke and gcloud auth application-default revoke and then authenticating again with gcloud auth application-default login?

Also for which SecOps wrapper version you are encountering this issue? So, I can take a look further.

[sat-tp]

Ah I think i've identified the issue. I have a limited permission set against my Google Cloud identity for Chronicle but Chronicle API Admin is associated with the workforce federated identity, which would explain the intermittent results.

I need to use https://cloud.google.com/iam/docs/workforce-log-in-gcloud#use-pool-provider-ids to setup a login config for ADC.

However I have a pre-req not fulfilled in my environment - https://cloud.google.com/iam/docs/workforce-sign-in-microsoft-entra-id#create-saml-provider.

I'll work on this and come back to this thread to confirm its fixed or if further investigation is needed.