Credentials for HTTP Requests in Workflow - 401 Error

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

Surely this has come up before, and I just can’t find the post. When a PAT is used in a workflow to make an API call to ISC, and the identity that generated the PAT leaves the company, that API call/workflow fails. So I created a service account in AD. I was going to do this as a flat file import, but the security team wanted it done with an AD account. This AD account comes in on its own source, with its own identity profile, and it has org_admin rights.

I log in as this identity, generate a PAT, and use that in my workflow, the API call fails.

"task failed: activity error (type: sp:external:http:v2, scheduledEventID: 5, startedEventID: 6, identity: 1@sp-workflow-worker-prd-us-east-1-684c58bd9-6blfn@sp-workflow-engine): request failed (type: HTTP Response Returned a Client Error, retryable: false): request failed: 401 - 401 Unauthorized - {\"error\":\"unauthorized\",\"error_description\":\"Full authentication is required to access this resource\"}"

Any ideas what I should be checking?

2

Hey @BCyr ,

You might want to check which scopes are assigned to the PAT. Here is some information about scopes for PATs and this documentation shows how to find the scopes needed for the endpoints you are calling in your workflow.

Please let me know if this helps!

  • Zach
3

I confirmed that the PAT has a scope of sp:scopes:all. Initially, the identity profile that this account was using did not have any active lifecycle states, so I thought that might be it. I enable “active” and “inactive” and made the account active, but that didn’t seem to matter.

However, while it was marked as active, I generated a new PAT and that did work. So one of two things may have happened here.

  1. A PAT generated by an identity that does not have an active lifecycle state is not valid.

  2. I copied the secret incorrectly.

Either way, it is working now.