Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: apply shcluster-bundle returning insufficient ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to deploy new apps to shcluster via my deployer and running apply shcluster bundle command I'm receiving a erro message.
/splunkdrive/splunk/bin/splunk apply shcluster-bundle --answer-yes -auth admin:{{ADMIN_PASSWORD}} -target https://{{SEARCH_HEAD_IP}}:8089
With return: insufficient permission to access this resource
I already tested a API call at search head using same auth and it was OK both on deployer and on search head cluster element
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We finally got the solution:
We had a custom authorize.conf under $SPLUNK_HOME/splunk/etc/system/local and probably was missing some capability.
When we removed this authorize.conf command worked fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For those who come to this page looking for an answer how to avoid giving a user admin_all_objects capability, if you only want the user to do a "splunk apply shcluster-bundle"...
We opened a case for this (1165853) and there is a solution:
You can build a custom role for this.
Step 1: Define a new capability and assign it to a role - via authorize.conf
[capability::deployer_capability]
[role_deployer]
deployer_capability = enabled
Step 2: Assign the capability to the correct REST endpoint, which is used by this CLI command - via restmap.conf
[apps-deploy:apps-deploy]
capability.post=deployer_capability
This is working pretty fine for us and we can now have a techical user doing a "splunk apply shcluster-bundle" without having a technical user with admin priviliges.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Capability admin_all_objects is required for a user role to apply/deploy shcluster-bundle from deployer server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We finally got the solution:
We had a custom authorize.conf under $SPLUNK_HOME/splunk/etc/system/local and probably was missing some capability.
When we removed this authorize.conf command worked fine
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By any chance did you find out capabilities needed to apply shcluster-bundle from deployer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First I would suggest not to use -auth parameters. Run the command without -auth and see if you can make any changes.
Secondly, insufficient permissions mean that the -auth admin:{passowrd} is incorrect. To resolve the error, change the admin password on deployer and so on all the SHC members. Then you can try again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem isn't related with the use of -auth we tried without that but the error message persists
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
