Permissions Error when calling AIP agent as a function within Workshop App

cdylpp · September 15, 2025, 9:03am

I am attempting to call an AIP agent as a Function from a Workshop app. I exposed a function called

query_sumi that looks like

@function
def query_sumi(query: str) -> str:
    with AllowBetaFeatures():
        client = ontology_sdk.FoundryClient()
        result = client.ontology.queries.sumi(user_input=query)
        return str(result.markdown_response)

When tested in the code-repo everything runs fine. However, in the Workshop app, calling the function returns the following permissions error

 raise BadRequestError(error_json)
foundry_sdk._errors.palantir_rpc_exception.BadRequestError: {
    "errorCode": "INVALID_ARGUMENT",
    "errorInstanceId": "ed6dad5a-c9bc-44a8-8d21-c6cd0049f346",
    "errorName": "QueryRuntimeError",
    "parameters": {
        "functionRid": "ri.function-registry.main.function.14b1c221-40af-4e32-acd9-ad59def8a2ee",
        "functionVersion": "7.0.0",
        "message": "RemoteException: PERMISSION_DENIED (Security:PermissionDenied) with instance ID 046dfb97-2b48-480a-a1e1-86773e92cf25: {rid=ri.aip-agents..agent.6c6710f1-8160-491d-927d-fbeb23433d66, operation=aip-agents:read}",
        "parameters": {
            "error-code": "PERMISSION_DENIED",
            "error-instance-id": "046dfb97-2b48-480a-a1e1-86773e92cf25",
            "error-name": "Security:PermissionDenied",
            "operation": "aip-agents:read",
            "rid": "ri.aip-agents..agent.6c6710f1-8160-491d-927d-fbeb23433d66"
        }
    }

I have double checked the permissions all me to call this function.
All resources are located in the same project folder.

ClaireR · September 15, 2025, 4:36pm

Hi @cdylpp

Unfortunately calling AIP agents as functions in python or Typescript v2 functions is not supported by default today.

This is because the generated ontology SDK client for these functions is limited to the default set of ontology permissions listed in the docs here, which does not include permissions required for calling AIP Agents.

We are considering ways to improve on the default set of permissions available there, but in the meantime some alternative options to allow you to call your agent from a function are:

Use a Typescript v1 function to call the agent function instead
Or, if you prefer to use python functions instead, you can call your agent using a Developer Console application client with the platform SDKs in your python code instead:
- Create a Developer Console application, with application permissions enabled and the required resources and client operations for calling your agent described in the documentation here
- Create a Data Connection source with your Developer Console client credentials and import this to use within your python function as described in the documentation here
- Create a platform SDK client with the client credentials from your Developer Console application. Use this to interact with your agent, using the create agent session and blocking continue session options

cdylpp · September 16, 2025, 12:16pm

Hi,

Thank you for this information!

It seems simple enough to translate the function into TypeScript v1. Are there any “gotchas” I should be aware of that are not explicitly outlined in the documentation when calling an AIP agent?

As a side note, it seems that creating a console application could be overkill for calling a single function (additionally, I’d have to acquire permissions to create a console app since they are currently not allowed in my env). Are there other benefits to creating a console application?

ClaireR · September 16, 2025, 2:00pm

Calling the agent via a TypeScript v1 function should be the simplest option if you need to wrap your agent with additional logic for triggering from your Workshop app - I wouldn’t anticipate any issues from the setup you’ve described but please let me know if you encounter any issues!

You should also be able to trigger the agent function directly in Workshop if you don’t require any wrapping logic - for example, you can create a Struct→Function variable type, to run your agent function with another string variable as the user input. You can then extract the agent’s text response from this with a String→Variable transformation variable type, and the “Extract struct field” transformation.

I’d only suggest the Developer Console route for now if you required use of Python functions in order to wrap calling the agent, or if you specifically wanted the calls to the agent to run using the application permissions for your Developer Console application (instead of as the user using the workshop). For your use case, it sounds like TSv1 or direct use of the agent function in workshop should be sufficient though!

system · December 16, 2025, 10:01pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.