Application-id as user-id required in executing script with authorization

Hi,

Referring to a previous ask (link), I have tested to run script with authorization.

1. run allocateParties with participant_admin jwt
2. run initialize with superuser jwt (superuser can act as alice and bob)

In 2, when I used this command

daml script --dar .daml/dist/project-0.0.1.dar --script-name Main:initialize --input-file ledger-parties.json --ledger-host localhost --ledger-port 6865 --access-token-file superuserjwt

It fails with the message in the sandbox

WARN  c.d.l.a.a.Authorizer - PERMISSION_DENIED(7,0): Claims are only valid for applicationId 'superuser', actual applicationId is 'daml-script', context: {participant: "sandbox", err-context: "{location=ErrorFactories.scala:238}"}

Then I add --application-id superuser in this command

daml script --dar .daml/dist/project-0.0.1.dar --script-name Main:initialize --input-file ledger-parties.json --ledger-host localhost --ledger-port 6865 --access-token-file superuserjwt --application-id superuser

It works well.

Kindly advice if it is related to a previous ask, about using --application-id for userid in this case.

Thanks in advance.

kc

Daml script doesn’t really care. The only thing that matters is that what is in your token matches what you specify via --application-id. Note that this is only relevant for the custom daml claims tokens. For the user access tokens there is no such restriction.

Thanks @cocreature . I am using the user access token (with userId superuser) specified in the superuserjwt. But wihtout the --application-id superuser the script cannot be executed, with error message (and warning message in Sandbox).

Oh that’s a good point. I’ve opened an issue for this Daml Script should rely on application id defaulting · Issue #13474 · digital-asset/daml · GitHub. In the meantime, you do have to pass the flag and match the user id.

Thanks @cocreature . Yes that’s what I am doing now.

cheers,
kc