Troubleshooting Kubernetes Access with 403 Forbidden Errors

If you're encountering 403 "Access is forbidden for this user" errors when trying to access Kubernetes resources, this is typically caused by using an admin kubeconfig file when you need a tenant-specific configuration. Common Error Symptoms You may see errors like: duplo-jit: failed to get credentials: status: 403, message: {"Message":"Access is forbidden for this user"} Unable to connect to the server: getting credentials: exec: executable duplo-jit failed with exit code 1 Solution 1: Generate Tenant-Specific Kubeconfig The most reliable solution is to generate a new kubeconfig file specifically for your tenant access: Using duploctl First, set the required environment variables: DUPLO_HOST=https://your-duplo-instance.com DUPLO_TENANT=your-tenant-name DUPLO_TOKEN=your-duplo-token You can get your Duplo token from Admin > Users > Your User > Token in the Duplo portal. Then run: duploctl jit update_kubeconfig --plan your-plan --tenant your-tenant Using AWS CLI Alternatively, you can use the AWS CLI if you have your AWS profile configured: aws eks update-kubeconfig --name your-cluster-name Solution 2: Download from Duplo Portal You can also download the tenant-scoped kubeconfig directly from the Duplo portal: Navigate to your Kubernetes services page in the Duplo portal Look for the kubeconfig download option Download the tenant-specific configuration file Understanding Tenant Permissions When using tenant-scoped access, you have limited permissions compared to admin access: You can only see resources in your specific tenant namespace (e.g., duploservices-dev ) Commands like kubectl get namespaces will fail You must specify the namespace when querying resources: kubectl get pods --namespace duploservices-dev Using Kubernetes Lens with Tenant Access If you're using Kubernetes Lens, tenant configurations may not load successfully because Lens tries to list namespaces and nodes, which tenant users don't have permission to do. To resolve this: In Lens, go to your cluster settings Find the "Accessible Namespaces" field Specify your tenant namespace (e.g., duploservices-dev ) This tells Lens to only try to access the namespaces you have permission to view. Best Practices Always generate kubeconfig files rather than sharing them between users Each user should have their own tenant-specific configuration When deploying to new environments, regenerate the kubeconfig to include new cluster contexts Use tools like kubectx to easily switch between different cluster contexts