Forbidden Errors

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

Error text

Forbidden. [Description]

where [Description] is a string that describes the cause of the error.

Example

Forbidden. You don't have permissions to access this resource.

You typically see Forbidden error messages when making API calls. One common cause is when an organization administrator, or other type of user, makes a call to an Edge management API that requires system administrator credentials.

For example, to use the Edge management API to create a user on Edge in the Cloud, you make a POST request to https://api.enterprise.apigee.com/v1/users. However, if you pass credentials for any user other than the sys admin, the call returns HTTP 403 Forbidden error, as shown below:

> POST /v1/users HTTP/1.1
> Host: api.enterprise.apigee.com
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type:application/xml
> Content-Length: 162
>
* upload completely sent off: 162 out of 162 bytes
< HTTP/1.1 403 Forbidden

What this error means

Every user in an Edge organization is assigned to a role, where roles are essentially CRUD-based permission sets. CRUD means "create, read, update, delete". For example, a user may be given a role that permits them to read, or "get", details about an entity, but not permission to "update" or "delete" it.

The Forbidden error typically means that the role assigned to the user does not have permissions to perform the requested operation.

See Assigning roles for more.

Troubleshooting

General troubleshooting steps

Although you may need expert help from Apigee to resolve this error, you can try the following general troubleshooting steps before contacting support or posting to the Apigee Community.

Are you a new customer who just created your first organization?

For new users to Apigee who are creating their first organization, it can take Apigee several hours to complete the creation process. If you see Forbidden errors in a new organization, wait a few hours and try again.

Check to see if another user recently changed permissions

In the Edge UI, select Admin > Organization History to see if there were any recent changes to permissions. Look for permissions that were recently created or removed:

Are you making an API call that requires sys admin credentials?

Several Edge management APIs require you to pass sys admin credentials, such as the following APIs:

If you are a Cloud customer, Apigee acts as the sys admin. Therefore, if you need to perform an action that requires sys admin permissions, you must contact Apigee Edge Support.

If you run into the Forbidden error when making an Edge management API call, check the API reference Get Started to determine the requirements for calling the API.

Are you creating or editing a role to give it access to a protected resource?

Edge lets you create custom roles to control user access to protected resources. For example, you can create roles to control access to APIs, products, and reports. See Assigning roles for more.

However, only a sys admin can create roles that specify permissions for the following resources:

  • /environments
  • /environments/*
  • /environments/*/keystores/*/aliases/*/key
  • /environments/*/pods
  • /environments/*/servers
  • /pods
  • /rebuildindex
  • /userroles/devadmin
  • /userroles/devadmin/permissions
  • /userroles/devadmin/permissions/*
  • /userroles/devadmin/users
  • /userroles/devadmin/users/*
  • /users/*/status
  • /users
  • /users/*

If you attempt to create a role that assigns permissions to these resources, you will get a Forbidden error.

For Cloud customers, check the Apigee status page for outages

Forbidden errors can occur when there is an outage in Edge for the Cloud. Use the following URL to check the current Edge status to see if there is an outage:

https://status.apigee.com/

Are you using a version of Edge Cloud that includes customer support?

Although you may need to contact Apigee support to resolve this error, you might first try the steps described above in General troubleshooting steps. If you need Apigee help, please see Apigee support.

Are you using Edge Private cloud?

In a Private Cloud installation, you define a sys admin. If you need to perform an operation that requires the sys admin credentials, such as creating an organization, then you must work with the Edge sys admin.

Are you using a free evaluation version of Apigee Edge?

Although you may need to post your issue to the Apigee Community to resolve this error, you might first try the steps described above in General troubleshooting steps.