ANUPAMC.14351 (Customer) asked a question.
An active API token (meaning it is used very frequently) started giving this error all of a sudden. This token was created a while back on Aug 05, 2019. Any ideas?
Exception in thread "main" com.okta.sdk.resource.ResourceException: HTTP 403, Okta E0000006 (You do not have permission to perform the requested action), ErrorId oaeMVB7-Rb7ShOpUEqCTNfOCw
at com.okta.sdk.impl.ds.DefaultDataStore.execute(DefaultDataStore.java:432)
at com.okta.sdk.impl.ds.DefaultDataStore.lambda$getResourceData$0(DefaultDataStore.java:187)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:47)
at com.okta.sdk.impl.ds.cache.WriteCacheFilter.filter(WriteCacheFilter.java:34)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.cache.ReadCacheFilter.filter(ReadCacheFilter.java:42)
at com.okta.sdk.impl.ds.DefaultFilterChain.filter(DefaultFilterChain.java:52)
at com.okta.sdk.impl.ds.DefaultDataStore.getResourceData(DefaultDataStore.java:199)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:167)
at com.okta.sdk.impl.ds.DefaultDataStore.getResource(DefaultDataStore.java:163)
at com.okta.sdk.impl.client.DefaultClient.getUser(DefaultClient.java:558)
API tokens inherit their rights from the account with which they were created, and are subject to any subsequent permissions changes that the account may experience in the future.
For example, let's say you create a new account and assign it the super admin role. Then you sign into Okta using that account and create an API token with it. At that point, the API token has all the same super admin rights as the Okta account you used to create it.
Days or years later, you or some other super admin removes the super admin role from that Okta account, or possibly even deletes it. From that point on, the API token also loses its super admin rights, resulting in errors similar to the one you described. If the Okta account is deleted, the token loses all rights.