https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/405045#M2652 <P>Thanks for your response ! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I am using the panos ansible modules to run these tasks against the panorama.&nbsp;<BR />In our case, the service account user has admin access (it is a superuser) to all the templates, device groups and we are using api_username and api_password to authenticate to the device.<BR /><BR />Another interesting fact is it works while running most of tasks in the playbook , but randomly fails on one of them (And sometimes it doesn't fail). The panorama logs indicate that "Authorization Failed. Could not find the role/ado for the user &lt;service_account&gt;. However after checking the Remote auth server logs and policies looks like the policies and roles have been configured correctly on the Auth server.&nbsp;<BR /><BR />Do you have any other suggestions ? Thanks a lot in advance for your help !&nbsp;<BR /><BR />Regards<BR />Siddhant Kulkarni<BR /><BR /><BR /><BR /><BR /></P> Wed, 05 May 2021 22:04:23 GMT Siddhant 2021-05-05T22:04:23Z https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/395617#M2610 <P>I have an ansible playbook that creates address,service objects -&gt; security policy -&gt; Commit and push to different device groups.&nbsp;<BR />Randomly one of the task fails during executing with the error - Failed Connection: URL Error: code: 403 reason: Forbidden.&nbsp;<BR />This is not specific to any particular module and have seen it happening in panos_address_object, <SPAN>panos_commit_push etc. Any guidance on this ?&nbsp;<BR /><BR /></SPAN></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Siddhant_0-1617387452800.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/30706iBC9A16D2B54944D9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Siddhant_0-1617387452800.png" alt="Siddhant_0-1617387452800.png" /></span></P><P>&nbsp;</P><P><SPAN>&nbsp;</SPAN></P> Fri, 02 Apr 2021 18:18:36 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/395617#M2610 Siddhant 2021-04-02T18:18:36Z https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/400412#M2634 <P>You are using the REST-API right ? If so maybe you have generated an API key from a username that is not an admin with full permisions ? Because you mention device groups I think that you are using the Ansible with an API key to control Panorama and the error 403 also confirms that REST-API is used not ssh. It is possible that your user that you use the API_key in the Ansible may have access domain just to some device groups or templates.</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/pan-os-xml-api-error-codes.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api/pan-os-xml-api-error-codes.html</A></P><P>&nbsp;</P><P>&nbsp;</P><P><A href="https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/role-based-access-control/access-domains.html" target="_blank" rel="noopener">https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-overview/role-based-access-control/access-domains.html</A></P> Tue, 20 Apr 2021 09:48:55 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/400412#M2634 nikoolayy1 2021-04-20T09:48:55Z https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/405045#M2652 <P>Thanks for your response ! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> I am using the panos ansible modules to run these tasks against the panorama.&nbsp;<BR />In our case, the service account user has admin access (it is a superuser) to all the templates, device groups and we are using api_username and api_password to authenticate to the device.<BR /><BR />Another interesting fact is it works while running most of tasks in the playbook , but randomly fails on one of them (And sometimes it doesn't fail). The panorama logs indicate that "Authorization Failed. Could not find the role/ado for the user &lt;service_account&gt;. However after checking the Remote auth server logs and policies looks like the policies and roles have been configured correctly on the Auth server.&nbsp;<BR /><BR />Do you have any other suggestions ? Thanks a lot in advance for your help !&nbsp;<BR /><BR />Regards<BR />Siddhant Kulkarni<BR /><BR /><BR /><BR /><BR /></P> Wed, 05 May 2021 22:04:23 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/405045#M2652 Siddhant 2021-05-05T22:04:23Z https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/463173#M2905 <P>We have the same issue when calling some API endpoints.. It happens randomly and once we retry the same exact call with the same exact parameters, it works fine.. We were unable to find the root cause so we worked around it by adding a retry mechanism in our code (python) and whenever we hit a 403 we just retry...</P><P>&nbsp;</P><P>It would be nice to know what might be causing this behaviour though</P><P>We're running Panorama 9.1 for reference</P> Thu, 03 Feb 2022 18:48:28 GMT https://live.paloaltonetworks.com/t5/automation-api-discussions/intermittent-403-failed-connection-errors-in-ansible-playbook/m-p/463173#M2905 abedJawhar 2022-02-03T18:48:28Z