Has your application with the IBM Watson service suddenly stopped working without any changes to its configuration?

The application probably uses HTTP basic authentication with username and password credentials; this is also called as a Cloud Foundry service credential, and you likely see 401: Unauthorised Error in the application log:

401 Unauthorised

This blog post will outline how to resolve the issue and get your application up and running with the Watson service again.

Solution

Once you migrate a Watson service instance to move it from its current Cloud Foundry org and space to a resource group, your new instance manages authentication with Cloud Identity and Access Management (IAM). IAM is an enhanced mechanism that uses API keys instead of username and password. 

As a result, you need to change the application code, which authenticates to the Watson service with the IAM API key credential.

1. Log in to IBM Cloud and open your Dashboard. 
2. Select Services in the Resource summary section > your Watson service instance > Service Credentials. 
3. Copy the API key in the Credentials section. 
4. Check your application code that authenticates to the Watson service with username and password credentials and replace it with the API key you copied from Step 3.

Example

The following Python code is using Basic Authentication to connect to the watsonx Assistant instance, and it may have failed with the 401 authentication error because the credential has deprecated.

from ibm_watson import AssistantV1 
from ibm_cloud_sdk_core.authenticators import BasicAuthenticator

username = 'd51a5b3c-fce3-4836-9d4c-e068a9e35379'
password = 'Pw0Oq3kydbzQ'

authenticator = BasicAuthenticator(username, password) 
assistant = AssistantV1( version='2018-08-01', authenticator=authenticator ) 
assistant.set_service_url('{url}')

Note that the username of the old Cloud Foundry service credential is a string other than apikey in the above example. 

Replace the username with the word apikey and the password with the actual API key of the Watson service. 

Below, you’ll see the updated version of the example code:

username = 'apikey'
password = 'your-API-Key-goes-here'
authenticator = BasicAuthenticator(username, password) 
assistant = AssistantV1( version='2018-08-01', authenticator=authenticator ) 

Or, if you use a later version of Watson SDK to manage the IAM authentication, you can use the following code in this example:

from ibm_watson import AssistantV1 
from ibm_cloud_sdk_core.authenticators import IAMAuthenticator 

authenticator = IAMAuthenticator( 'your-API-Key-goes-here') 
assistant = AssistantV1( version='2019-08-01', authenticator=authenticator )

For different programming languages and Watson services, refer to the corresponding Watson SDK and API documents: 

• Watson SDKs 
• Watson API docs 

Summary

Update your applications to take advantage of the improved security that Cloud Identity and Access Management (IAM) affords. After you update your apps to use the new API key approach, you won’t need the Cloud Foundry service alias and can delete it. The username and password credentials have recently been disabled, and applications must be updated to use the IAM authentication method.

For more details about the migration of your Cloud Foundry instance and the new IAM authentication, see the following: 

• Identity and Access Management Updates for Watson Services
• Migrating Watson services from Cloud Foundry