I am currently calling a AIP logic function from my typescript OSDK application, and I’ve provided this function access to a LLM query tool which provides access to several properties of one of the ObjectSet’s within my ontology, however when executing this function via OSDK, I keep getting a RemoteException: PERMISSION_DENIED (ObjectSet:Unauthorized) error.
I’ve scoured the documentation to find a fix for this but wasn’t able to get a working solution.
After creating sample input’s out of these failed function execution requests, they seemed to work perfectly fine in the Bulk preview testing suite, so the requests should technically work as expected.
Would appreciate your help in troubleshooting this, thanks!
My AIP logic function has an LLM node which I’ve provided with access to a Query Object tool which lets the model query the object to generate its response.
When I go to the Data Resources section in the developer console of the OSDK application, I see a warning that says Manual action may be required and You must manually add resources used by this function.
However, there isn’t an actual “resource” to provide access to since I am simply using an attached Query Object tool – wondering if this is because this tool is not a published function, thus I can’t “add” it to my data resources?
Following up again on this since I think I’ve seemed to figure out the issue:
Since I’m on AIP’s developer tier, and don’t have access to “client credentials OAuth client grant”, I cannot create a service user for my OSDK application. Thus, my client-facing application cannot access all the object types on my ontology and explains the PERMISSION_DENIED error.
I might be really off on this one since i’m not familiar with using the OSDK, but something you might want to consider is if you can somehow import the object itself into the project/file? For example, in a pipeline, if I don’t import the dataset from another project, I’ll get this warning. In a code setting, my guess would be that you’d need to specify the objects/resources to import at the top of the file in order to be able to use them.
This link might be a better representation of how to import the resource/ontology type: Foundry Functions
Maybe also check the access level of your object and remember to specify a user, since there are permissions you can set (create, edit, delete, etc.)
I’ve also had situations where the preview works fine but the actual deployment fails due to small issues like this which can be really frustrating, so hope you’re able to get a fix for this!
bypass scope check by creating a second dev console application, skipping the ontology selection step (hope this is available on dev tier) and create a “generic client”. Then you can use the created clientID in you original OSDK application.
Make sure the Dev Console application include all the ontology resources you are using in your AIP logic function. If you include these your assigned token should get the required scope.
HTH,
Thanks for the actionable steps @ewitkon, here are some blockers regarding them:
Method 1: There doesn’t seem to be an explicit way to “skip the ontology selection step”, I have to either generate a oSDK (after which I can’t move forward in the steps without selecting an ontology within my organization) or proceed with No, I won't use an Ontology SDK. When selecting the latter option, I’m still only able to create a Public or Confidential Client, neither of which seems to work as needed.
Method 2: In the Dev Console, I’ve ensured that my oSDK application has all the required (and even available) object types as the data sources. Even when I click the warning Manual action may be required and You must manually add resources used by this function, when I go to actually check what resources are still needed, the AIP logic function in the ontology manager looks good, and there aren’t any leftover resources.
I’ve exhausted AIP Assist in trying to figure out how to give my oSDK client access to ObjectSet’s of already accessible singular object types, but have had no luck with just 3 days left in the winter fellowship!
Would there be another good way to get around this? I’ve tried to mess around with one-to-many link types and etc. but haven’t had any luck with that as well. Seems to be an edge case limitation with using Query Tool in LLM node’s and calling them via a public client (on a developer tier).
Understood, when creating the generic client, I thankfully see the option to create a Service user, however after enabling the Client credentials grant, I keep getting the following error:
Hypothesized that it might be because allowedOrganizationIds is empty, but the Dev Console UI says that its already added to my organization as part of the initial application creating process.
Why are you using confidential client ? you should use public client like the one you had before and just use this client ID.
If your originl application is use confidential client then the issue is that the service user which is created for that application need to get permission on all resources including the compass project where the AIP Logic reside.
