content-flow:create: User does not have the necessary permissions for this operation.

[kwin]

Expected Behavior

When trying to create a new content flow based on JWT service account having "Deployment Manager" one has the necessary permission to trigger a content copy. According to https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/developer-tools/content-copy.html?lang=en#permissions one also needs to part of the AEM administrators group in both the source and the destination environment. But I cannot assign any AEM access in https://developer.adobe.com/console/. There is not even an API for AEM.

Actual Behavior

The following error is emitted when trying to execute
cloudmanager:content-flow:create 918302 9603 918249 true author --programId 96552 --imsContextName program-96552

Process returned with non-success exit code 30:
Creating content flow for pid: 96552 env: 918302   values: {"contentSetId":"9603","destEnvironmentId":"918249","includeACL":"true","tier":"author","mergeExcludePaths":"false"}.... failed
 ›   Error: [CloudManagerSDK:ERROR_CREATE_CONTENTFLOW] Unable to create content
 ›    flow for program https://cloudmanager.adobe.io/api/program/96552/environm
 ›   ent/918302/contentFlow (403 Forbidden) - User unauthorized.(s): User does 
 ›   not have the necessary permissions for this operation.
 ›   Code: ERROR_CREATE_CONTENTFLOW
 ›   Reference: Request Id: NgL8bsCqJ3PZvJp9lOTmfWT8bosMCKKn. Timestamp: 
 ›   2023-06-19T17:00:03.943Z

Reproduction Scenario, Platform, and Version
This happens with aio-cli-plugin-cloudmanager v4.1.0 used standalone as outlined in https://github.com/adobe/aio-cli-plugin-cloudmanager#standalone-use.

[kwin]

Compare with AdobeDocs/cloudmanager-api-docs#260.

[kwin]

As the JWT token for AEM is managed outside the Adobe Developers Console but inside AEM Developer's Console (https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/developing/generating-access-tokens-for-server-side-apis.html?lang=en#fetch-the-aem-as-a-cloud-service-credentials) it seems it is currently impossible to generate one JWT token with the necessary permissions.

[kwin]

@zygw How are the new content copy related operations supposed to be executed with service accounts on AEMaaCS?

[kwin]

Ok, it seems that I need to add the API credentials for the generated service account via the adminconsole as outlined in https://helpx.adobe.com/enterprise/using/manage-developers.html. That is only possible for author tiers though as there is no dedicated administrator product profile for AEM publish.

[kwin]

Also according to the README (https://github.com/adobe/aio-cli-plugin-cloudmanager#permissions)

To see the permissions required for a specific command, you can also run any command with the flag --permissions

But executing aio cloudmanager:content-flow:create --permissions

results in

To execute cloudmanager:content-flow:create, one of the following product profiles is required: Deployment Manager.
 ›   Error: Missing 3 required args:
 ›   contentSetId       Id of content set to use
 ›   destEnvironmentId  The destination environment id
 ›   includeACL         Include ACLs
 ›   See more help with --help

[imaadghouri85]

Hello @kwin @zygw

We are also facing the same issue when trying to execute below command

aio cloudmanager create-content-flow $ENVIRONMENTID $CONTENTSETID $DESTENVIRONMENTID false

We have created a cloud manager API https://developer.adobe.com/ console and added deployment manager role in it (see attached) but still getting permission issues. Any clue ?

Here is the error:

Creating content flow for pid: 85402 env: ****   values: {"contentSetId":"***","destEnvironmentId":"****","includeACL":"false","tier":"author","mergeExcludePaths":"false"}.... failed
--
215 | ›   Error: [CloudManagerSDK:ERROR_CREATE_CONTENTFLOW] Unable to create content
216 | ›    flow for program https://cloudmanager.adobe.io/api/program/*****/environm
217 | ›   ent/*****/contentFlow (403 Forbidden) - User unauthorized.(s): User does
218 | ›   not have the necessary permissions for this operation.
219 | ›   Code: ERROR_CREATE_CONTENTFLOW
220 | ›   Reference: Request Id: zbycXFlVShwuAnZ6qKxA4p9UZzpfr84f. Timestamp:
221 | ›   2024-01-29T01:55:45.400Z

[zygw]

The user must be an admin in the source and destination environment. The Cloud Manager roles only gate the availability of the API. Since the content copy reads/writes arbitrary paths, the user running the copy must have admin privilege in the two AEM envs. See Permissions table in:
https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/implementing/developer-tools/content-copy.html?lang=en