docs(obj): update api key troubleshooting MTA-5528 (#4324)

* docs(obj): update api key troubleshooting MTA-5528 * docs(iam): add troubleshooting for API key and permissions issues * docs(iam): update * docs(iam): update * docs(iam): update
scaleway · Feb 5, 2025 · 5c4b196 · 5c4b196
1 parent a555343
commit 5c4b196
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 4 deletions.
diff --git a/menu/navigation.json b/menu/navigation.json
@@ -433,6 +433,16 @@
                 "label": "API/CLI",
                 "slug": "api-cli"
               },
+              {
+                "items": [
+                  {
+                    "label": "I am not allowed to perform actions on resources",
+                    "slug": "cannot-use-resources-using-api"
+                  }
+                ],
+                "label": "Troubleshooting",
+                "slug": "troubleshooting"
+              },
               {
                 "label": "Videos",
                 "slug": "videos"

diff --git a/pages/iam/troubleshooting/cannot-use-resources.mdx b/pages/iam/troubleshooting/cannot-use-resources.mdx
@@ -0,0 +1,58 @@
+---
+meta:
+  title: I am not allowed to perform actions on resources
+  description: Fix issues encountered while interacting with Scaleway resources and products using the console or API.
+content:
+  h1: I am not allowed to perform actions on resources
+  paragraph: Fix issues encountered while interacting with Scaleway resources and products using the console or API.
+tags: api 403 error unable connection fail product resource api cli developer tools
+dates:
+  validation: 2025-01-30
+  posted: 2025-01-30
+categories:
+  - iam
+---
+
+<Macro id="requirements" />
+
+- [Owner](/iam/concepts/#owner) status or [IAM permissions](/iam/concepts/#permission) allowing you to perform actions in the intended Organization
+
+## Problem
+
+When interacting with Scaleway resources using the Scaleway console, API, CLI, or any other developer tools, you encounter one of the following issues:
+
+- a message saying **Insufficient permissions** displays
+- a message saying **Access Denied** displays
+- a `403` error displays
+- no output displays when interacting with Scaleway products using a command-line tool, and no changes appear in the Scaleway console
+
+## Cause
+
+You (or the IAM [user](/iam/concepts/#user) or [application](/iam/concepts/#application)) may not have the correct appropriate [IAM permissions](/iam/how-to/view-permission-sets/) to perform the desired actions. 
+
+## Solution
+
+1. Make sure that you are using a valid [API key](https://console.scaleway.com/iam/api-keys).
+
+2. Make sure that the bearer of the API key (IAM [user](/iam/concepts/#user) or [application](/iam/concepts/#application)) has the appropriate [IAM permissions](/iam/how-to/view-permission-sets/) to perform the desired actions.
+
+3. If you **do not** have [Owner](/iam/concepts/#owner) status for the organization in which you are trying to perform actions, contact the IAM manager or owner of this organization.
+
+4. If your are using a command-line tool to interact with Scaleway resources, make sure that there is no environment variable overriding your API key. Refer to the [documentation on environment variables priority](/scaleway-cli/reference-content/environment-variables/#environment-variables-priority) for more information.
+
+<Message type="note">
+If you encounter issues while using Object Storage, refer to the [dedicated troubleshooting page](/object-storage/troubleshooting/api-key-does-not-work/).
+</Message>
+
+## Going further
+
+- If you did not manage to identify the error and solve it by yourself, [open a support ticket](/account/how-to/open-a-support-ticket/), and provide as many details as possible, along with the necessary information below:
+    - Organization ID
+    - Project ID
+    - Resource type and ID
+    - Request type (PUT, GET, etc.)
+    - HTTP status code
+    - Date and time (timestamp)
+    - User-agent (SDK, client, console, etc.)
+    - Transaction ID (if possible)
+    - Log / trace of the error (if possible)
diff --git a/pages/object-storage/troubleshooting/api-key-does-not-work.mdx b/pages/object-storage/troubleshooting/api-key-does-not-work.mdx
@@ -7,7 +7,7 @@ content:
   paragraph: Fix issues with non-functional API keys in Object Storage.
 tags: api key bucket object storage aws cli
 dates:
-  validation: 2025-01-15
+  validation: 2025-01-30
   posted: 2023-12-15
 categories:
   - storage
@@ -26,6 +26,8 @@ When using third-party API or CLI tools, such as the [AWS CLI](/object-storage/a
 
 - The tool returns `An error occurred (Forbidden) when calling the ListObjectsV2 operation: Forbidden` or a similar message.
 
+- The tool returns a `403` error.
+
 ## Cause
 
 The API key you used to configure the Amazon S3 third-party tool has a [preferred Project](/iam/concepts/#preferred-project) assigned.
@@ -34,17 +36,23 @@ If you try to perform Object Storage operations in a Project that is **NOT** the
 
 ## Solution
 
-You can change the preferred project of your API key:
+1. Make sure that you are using a valid [API key](https://console.scaleway.com/iam/api-keys).
+
+2. Make sure that the bearer of the API key (IAM [user](/iam/concepts/#user) or [application](/iam/concepts/#application)) has the appropriate [IAM permissions](/iam/how-to/view-permission-sets/) to perform the desired actions.
 
-- by editing it from the [Scaleway console](/iam/how-to/manage-api-keys/#how-to-edit-an-api-key)
-- by [overriding it while making an API call](/iam/api-cli/using-api-key-object-storage/#overriding-the-preferred-project-when-making-a-call)
+3. Make sure that the API key's [preferred Project](/iam/concepts/#preferred-project) is the same as the one where you are performing actions. You can change the preferred project of your API key:
+    - by editing it from the [Scaleway console](/iam/how-to/manage-api-keys/#how-to-edit-an-api-key)
+    - by [overriding it while making an API call](/iam/api-cli/using-api-key-object-storage/#overriding-the-preferred-project-when-making-a-call)
+4. Make sure that there is no [bucket policy](/object-storage/concepts/#bucket-policy) preventing the action. If there is one, [update the bucket policy](/object-storage/how-to/create-bucket-policy/) to allow the desired actions to the bearer of the API key.
 
 You should now be able to list your buckets using a supported Amazon Amazon S3-compatible third-party tool.
 
 ## Going further
 
 - Refer to the documentation on [using IAM API keys with Object Storage](/iam/api-cli/using-api-key-object-storage/) for more information.
 
+- Refer to the documentation on [bucket policies](/object-storage/api-cli/bucket-policy/) for more information.
+
 - If you did not manage to identify the error and solve it by yourself, [open a support ticket](/account/how-to/open-a-support-ticket/), and provide as many details as possible, along with the necessary information below:
     - Object Storage Endpoint (e.g. `s3.fr-par.scw.cloud`)
     - Bucket name