Permission Scopes
API key permission scopes that control read access to Kubeadapt endpoints. Covers clusters, workloads, nodes, costs, and recommendations scopes.
Each API key is granted one or more permission scopes when created. A request to an endpoint that requires a scope your key doesn't have returns 403 Forbidden.
Scopes
| Scope | Endpoints |
|---|---|
clusters:read | GET /v1/clusters, GET /v1/clusters/{id}, GET /v1/clusters/{id}/dashboard, GET /v1/clusters/{id}/cost-distribution |
workloads:read | GET /v1/workloads, GET /v1/workloads/{uid}/metrics, GET /v1/workloads/{uid}/nodes |
nodes:read | GET /v1/nodes, GET /v1/nodes/{uid}/metrics |
namespaces:read | GET /v1/namespaces, GET /v1/namespaces/{name}/details, GET /v1/namespaces/{name}/trends |
node_groups:read | GET /v1/node-groups, GET /v1/node-groups/{name}/details |
persistent_volumes:read | GET /v1/persistent-volumes |
costs:teams:read | GET /v1/costs/teams |
costs:departments:read | GET /v1/costs/departments |
recommendations:read | GET /v1/recommendations |
overview:read | GET /v1/overview, GET /v1/dashboard |
Assigning Scopes
Scopes are assigned when you create an API key in the Kubeadapt dashboard. You can't modify scopes after creation. If you need different permissions, create a new key with the required scopes.
Grant only the scopes your integration needs. A key used only for cost reporting doesn't need workloads:read or nodes:read.
Scope Errors
When a request fails due to missing scope, the response is:
{
"detail": "Missing required permission: clusters:read"
}The error message includes the specific scope that was missing. Check the endpoint's required scope in the table above and verify your key has it.
Related
- Authentication - API key creation and Bearer token usage
- Error Handling - 403 Forbidden responses for missing scopes