< Marvin> Authenticated on prefect workspace but getting thi Prefect Community #ask-marvin

<@ULVA73B9P> Authenticated on prefect workspace bu...

Moe

10/15/2025, 1:43 PM

@Marvin Authenticated on prefect workspace but getting this error when running a flow:

Copy code

File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\flows\agent\bin\pms_generate_base_flow.py", line 205, in <module>
    pms_generate_base_flow(env, cicd)
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\flows.py", line 1702, in __call__
    return run_flow(
           ^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\flow_engine.py", line 1552, in run_flow
    ret_val = run_flow_sync(**kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\flow_engine.py", line 1392, in run_flow_sync
    with engine.start():
  File "C:\Users\AbhijeetShelake\AppData\Local\Programs\Python\Python311\Lib\contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\flow_engine.py", line 758, in start
    with self.initialize_run():
  File "C:\Users\AbhijeetShelake\AppData\Local\Programs\Python\Python311\Lib\contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\flow_engine.py", line 691, in initialize_run
    self.flow_run = self.create_flow_run(self.client)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\flow_engine.py", line 528, in create_flow_run
    return client.create_flow_run(
           ^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\client\orchestration\_flow_runs\client.py", line 89, in create_flow_run
    response = self.request(
               ^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\client\orchestration\base.py", line 33, in request
    return self._client.send(request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\client\base.py", line 622, in send
    response.raise_for_status()
  File "C:\git\DentalCorp-Canada\gitlab\data-pipelines\.venv\Lib\site-packages\prefect\client\base.py", line 163, in raise_for_status
    raise PrefectHTTPStatusError.from_httpx_error(exc) from exc.__cause__
prefect.exceptions.PrefectHTTPStatusError: Client error '403 Forbidden' for url '<https://api.prefect.cloud/api/accounts/c1b2c86f-eb40-4cf2-b349-89d52b7be84b/workspaces/cf539437-afb>…
Response: {'detail': 'Workspace scopes missing: run_flows'}
For more information check: <https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/403>

Marvin

10/15/2025, 1:43 PM

✅ thought for 182.1 seconds

Marvin

10/15/2025, 1:46 PM

Thanks for sharing the stack trace — that 403 tells us exactly what’s wrong. What the error means - Prefect Cloud rejected the request to create a flow run because the API key you’re using does not have the required workspace permission:

run_flows

. - In Prefect 3.x Cloud, permissions are granted via workspace roles/scopes on the identity behind your API key (your user or a service account). How to fix it 1) Verify you’re connected to the right workspace locally - See your current settings:

Copy code

prefect config view

- List and select your workspace:

Copy code

prefect cloud workspace ls
prefect cloud workspace set

- If needed, log in again with the right key:

Copy code

prefect cloud login

2) Confirm the identity behind your API key and its role - If it’s a user API key: a workspace admin needs to ensure your user has a role that includes permission to run flows. - If it’s a service account key: ensure the service account has a role that includes “Run flows,” or create a new service account with that permission and generate a new key. Where to do this in the UI - User roles and permissions: open your workspace in Prefect Cloud and check Members/Users; ensure the assigned role includes the ability to run flows. - Service accounts: Workspace Settings > Service Accounts; create or edit a service account and assign a role that can run flows; then generate a key. Useful docs - Manage roles and permissions - Service accounts - API keys - Settings and profiles Apply a new key locally (if you rotate keys) - Set it via CLI:

Copy code

prefect cloud login

- Or set env vars for your current shell:

Copy code

export PREFECT_API_KEY=XXXX
export PREFECT_API_URL=<https://api.prefect.cloud/api>

(Use the Windows equivalent if needed.) Quick checks after updating - You should be able to run your flow again without the 403. - If you still see the error, double‑check that: - You’re in the same workspace as the one in the error URL. - The identity’s role truly includes the permission to run flows. - The key wasn’t created under a different account/workspace. If it helps, tell me whether you’re using a user API key or a service account key, and I can give you more precise click-paths in the UI and confirm the specific role you should use.

Open in Slack

Previous Next