The openstack user stored in /var/lib/nagios/nagios.novarc doesn't seem to have enough privilege to run check_octavia.py
```
# Running the check manually
root@juju-8d8c5a-4-lxd-17:/etc/nagios/nrpe.d# /usr/local/lib/nagios/plugins/check_octavia.py --check amphorae
Traceback (most recent call last):
File "/usr/local/lib/nagios/plugins/check_octavia.py", line 358, in <module>
main()
File "/usr/local/lib/nagios/plugins/check_octavia.py", line 352, in main
status, message = process_checks(args)
File "/usr/local/lib/nagios/plugins/check_octavia.py", line 293, in process_checks
return nagios_exit(args, checks[args.check](connection))
File "/usr/local/lib/nagios/plugins/check_octavia.py", line 203, in check_amphorae
items = list(lb_mgr.amphorae())
File "/usr/lib/python3/dist-packages/openstack/resource.py", line 1693, in list
exceptions.raise_from_response(response)
File "/usr/lib/python3/dist-packages/openstack/exceptions.py", line 234, in raise_from_response
raise cls(
openstack.exceptions.HttpException: HttpException: 403: Client Error for url: https://octavia.oam.prd.infra.client.net:9876/v2.0/octavia/amphorae, Forbidden
# Workaround for me was to give the load balancer roles manually to the nagios user
ubuntu@app1maas001p:~$ NAGIOS_USER_ID=$(openstack user list --domain service_domain | grep nagios | awk '{print $2}')
ubuntu@app1maas001p:~$ openstack role add --domain service_domain --user $NAGIOS_USER_ID load-balancer_member
ubuntu@app1maas001p:~$ openstack role add --project-domain service_domain --project services --user $NAGIOS_USER_ID load-balancer_member
ubuntu@app1maas001p:~$ openstack role add --domain service_domain --user $NAGIOS_USER_ID load-balancer_admin
ubuntu@app1maas001p:~$ openstack role add --project-domain service_domain --project services --user $NAGIOS_USER_ID load-balancer_admin
```
Actually only `load-balancer_ admin` role is required. Alternatively, nagios user should be a system admin and requests should be made in system scope (instead of project scope). See related policies for Octavia's /octavia/amphorae API below:
"system-admin": "role:admin and system_scope:all" admin": "is_admin:True or role:load- balancer_ admin or rule:system-admin" balancer_ api:amphora: get_all" : "rule:load- balancer: admin"
"load-balancer:
"os_load-