Skip to main content
Solved

Problem with Connect Deployment API when using Automatically Generated API Client Credentials

S

Hi, I am able to successfully create a Connect application deployment using the API as described here: https://docs.commercetools.com/connect/deployments#create-deployment

 

However, if I convert my connector to use automatically generated API client credentials (as described here: https://docs.commercetools.com/connect/modify-connector) then when I try and create a deployment I get a 403 Access denied error.

 

Details

 

I have an example open source connector that I created for another issue that I can use to demonstrate this issue: https://github.com/tcpl/commercetools-connector-undeploy-demo

 

Tag 1.4.1 uses explicit API credentials and tag 1.5.1 uses auto generated API credentials.

 

Create Connector

curl https://connect.europe-west1.gcp.commercetools.com/connectors/drafts -i \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/json' \
--data-binary @- << DATA 
{
  "name" : "Connector API Test",
  "creator" : {
    "email" : "stephen.upchurch@thecommercepartnership.com"
  },
  "repository" : {
    "url" : "git@github.com:tcpl/commercetools-connector-undeploy-demo.git",
    "tag" : "1.4.1"
  },
  "privateProjects" : [],
  "supportedRegions" : [ "europe-west1.gcp" ]
}
DATA

Publish Connector

curl https://connect.europe-west1.gcp.commercetools.com/connectors/drafts/0a7b631c-dfc9-427c-b8db-767cfdcfad32 -i \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/json' \
--data-binary @- << DATA 
{
  "version": 1,
  "actions": [
    {
      "action": "publish",
      "certification": false
    }
  ]
}
DATA

Deploy Connector

curl "https://connect.europe-west1.gcp.commercetools.com/${PROJECT_ID}/deployments" -i \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/json' \
--data-binary @- << DATA 
{
  "connector": {
    "id": "0a7b631c-dfc9-427c-b8db-767cfdcfad32",
    "version": 3,
    "staged": false
  },
  "region": "europe-west1.gcp",
  "configurations": [
    {
      "applicationName": "service",
      "standardConfiguration": [
        { "key": "CTP_PROJECT_KEY", "value": "xxxx" },
        { "key": "CTP_CLIENT_ID", "value": "xxxx" },
        { "key": "CTP_AUTH_URL", "value": "https://auth.europe-west1.gcp.commercetools.com" },
        { "key": "CTP_API_URL", "value": "https://api.europe-west1.gcp.commercetools.com" }
      ],
      "securedConfiguration": [
        { "key": "CTP_CLIENT_SECRET", "value": "xxxx" }
      ]
    }
  ]
}
DATA

The create deployment command above works fine. However, if I now change the connector to use tag 1.5.1 it no longer works.

 

Update Connector to use Auto Generated Client (tag 1.5.1)

curl https://connect.europe-west1.gcp.commercetools.com/connectors/drafts/0a7b631c-dfc9-427c-b8db-767cfdcfad32 -i \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/json' \
--data-binary @- << DATA 
{
  "version": 1,
  "actions": [
    {
      "action": "setRepository",
      "url" : "git@github.com:tcpl/commercetools-connector-undeploy-demo.git",
      "tag" : "1.5.1"
    }
  ]
}
DATA

Publish Connector

curl https://connect.europe-west1.gcp.commercetools.com/connectors/drafts/0a7b631c-dfc9-427c-b8db-767cfdcfad32 -i \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/json' \
--data-binary @- << DATA 
{
  "version": 1,
  "actions": [
    {
      "action": "publish",
      "certification": false
    }
  ]
}
DATA

Try Creating a Deployment for the Connector

curl "https://connect.europe-west1.gcp.commercetools.com/${PROJECT_ID}/deployments" -i \
--header "Authorization: Bearer ${BEARER_TOKEN}" \
--header 'Content-Type: application/json' \
--data-binary @- << DATA 
{
  "connector": {
    "id": "0a7b631c-dfc9-427c-b8db-767cfdcfad32",
    "version": 3,
    "staged": false
  },
  "region": "europe-west1.gcp",
  "configurations": [
    {
      "applicationName": "service",
      "standardConfiguration": [],
      "securedConfiguration": []
    }
  ]
}
DATA

 

I get the following response:

{
  "statusCode": 403,
  "message": "Access denied",
  "errors": [{ "code": "AuthorizationError", "message": "Access denied" }]
}

 

Any ideas on how I can use the API to create or update a deployment when using automatically generated API client credentials?

 

Thanks

Stephen

Best answer by Ben Hedrick

Hey Stephen,

 

Thanks for reaching out to the commercetools Community!  We think you may need to add manage_api_clients scoping.

 

The manage_api_clients:{projectKey} scope is essential for managing API clients within your commercetools project. Without this scope, the automated creation of API clients during deployment won't be possible. This is particularly important for infrastructure-as-code setups and scenarios where you must programmatically create or manage API clients.   We will review our documentation as well.

 

This scope is not to be put in the connect.yaml file. It should be added to the scopes during API client creation for the API client that will perform the deployment, such as Postman or your CLI tool.

 

If you are still experiencing issues after the recommended change, we recommend reaching out to support.commercetools.com.

View original

Ben Hedrick
commercetooler
Forum|alt.badge.img

Hey Stephen,

 

Thanks for reaching out to the commercetools Community!  We think you may need to add manage_api_clients scoping.

 

The manage_api_clients:{projectKey} scope is essential for managing API clients within your commercetools project. Without this scope, the automated creation of API clients during deployment won't be possible. This is particularly important for infrastructure-as-code setups and scenarios where you must programmatically create or manage API clients.   We will review our documentation as well.

 

This scope is not to be put in the connect.yaml file. It should be added to the scopes during API client creation for the API client that will perform the deployment, such as Postman or your CLI tool.

 

If you are still experiencing issues after the recommended change, we recommend reaching out to support.commercetools.com.

C
1 person likes this
  • C
    Chris Drain
S

@Ben Hedrick Ah, of course! That makes sense! I was using an Admin Client template, but that doesn’t include that permission.

 

Thank you!

Reply


Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
© 2025 commercetools GmbH - All rights reserved