io.grpc.StatusRuntimeException: PERMISSION_DENIED with Java Bindings against Daml Hub

Hello everybody!

Here is my error:
java.util.concurrent.ExecutionException: io.grpc.StatusRuntimeException: PERMISSION_DENIED: An error occurred. Please contact the operator and inquire about the request <no-correlation-id>

It happens when I send a grpc request from Java app with bindings to the ledger on the Daml Hub.
How do I do it?

  1. I created a service account for my Java app on behalf of the party that will send the grpc request.
  2. There is a token (Cred ID) for the new account. I use it against
  3. I get two tokens in response: accessToken and token
  4. inside my java app I build DamlClient like this:
  .newBuilder(host, port)

The host is my daml hub host and the port is 443
When I send a request through this I get PERMISSION_DENIED error. What can be wrong? As a token I use “token” from the login endpoint response. When I use “access_token” or just a manually crafted garbage string I get UNAUTHORIZED. What is the correct token for this?
I read this post
I thought that maybe the reason is that I created a service for the wrong party but everything looks good, I double-checked.
The code is working fine if I run the sandbox ledger and send requests with the simple builder: no SSL and Token.


The applicationId that you use in the bindings also have to match what is in the token. Currently for Daml Hub tokens, this is hardcoded to "damlhub".

(This may be a duplicate of this issue Cannot exercise contract with Java API to DAML Hub - #2 by Mate_Varga)


Thank you very much, sir!
It solved the problem and I can reach Hub from the java app running from a container on the local host.
Now I run the same container on AWS Kubernetes cluster. And when I try to connect to the ledger I get:
io.grpc.StatusRuntimeException: UNAUTHENTICATED
I checked everything. This is the exact same container with the same credentials. Don’t you know what can it be? Maybe you have something on the top of your mind! The problem happens in the same place where I got PERMISSION_DENIED before.
AWS security groups are fine too, I checked, 443 is allowed.