403 forbidden error when running command "dfx identity --network ic deploy-wallet <canister-identifer>"

I’ve created an issue to improve the deploy-wallet command https://github.com/dfinity/sdk/issues/1723


Sorry about not being able to respond to you yesterday, I ran out of how many times I could post as a new user.

So I tried your steps and the first steps gives me an error of “wallet/build.sh: line 18: cargo: command not found”

I’ve also added the canister_ids.json file like

Attached is the screen shot of line where it is calling out the error

That makes sense - it assumes you are set up to compile Rust code. I’ll spend some time today getting up to speed with workflows to host your first canister, and hopefully have a better strategy for you

Ok great thank you for the help

I can confirm that this is happening with all flows that start with an empty canister, and I don’t know of a proper workaround. We’ll prioritize a fix so that deploy-wallet works as expected


Just gonna let that here in case it would help someone some day as I just faced the exact same issue / msg:

Installing code for canister …, with canister_id …
The replica returned an HTTP Error: Http Error: status 403 Forbidden, content type “”, content: Requested canister rejected the message

I successfully created the canister in the nns app and also configured it correctly locally but, I forgot to change the controllers (assign my personal principal id to the new canister) in nns app. Once done, everything went alright.

1 Like

I’m getting the same error. I created a canister (funded with 2T cycles). I set the controller to my principal id. When I come to deploy I see this:

[13:34] ~/dfinity/tom_airclaim$ dfx canister create --with-cycles 2000000000000 tom_airclaim
Creating canister "tom_airclaim"...
"tom_airclaim" canister created with canister id: "rrkah-fqaaa-aaaaa-aaaaq-cai"
[13:36] ~/dfinity/tom_airclaim$ dfx canister update-settings --controller u5fcy-h625d-kffrx-solci-a2aze-ehckf-hszyq-hx3nj-ji36i-vensk-pqe tom_airclaim
Updated "u5fcy-h625d-kffrx-solci-a2aze-ehckf-hszyq-hx3nj-ji36i-vensk-pqe" as controller of "tom_airclaim".
[13:36] ~/dfinity/tom_airclaim$ dfx deploy --network ic --no-wallet
Deploying all canisters.
All canisters have already been created.
Building canisters...
Installing canisters...
Upgrading code for canister tom_airclaim, with canister_id ryjl3-tyaaa-aaaaa-aaaba-cai
The replica returned an HTTP Error: Http Error: status 403 Forbidden, content type "", content: Requested canister rejected the message

Some supporting information:

[13:42] ~/dfinity/tom_airclaim$ dfx identity get-principal
[13:42] ~/dfinity/tom_airclaim$ dfx --version
dfx 0.8.0
1 Like

It looks like when the new cycles wallet is created, it is NOT assigned to your principal. There is one step missing for that : dfx …set wallet.

In practice, that Convert Cycles section of the tutorial should be modified to include the 3 step
1 - dfx ledger --network ic create-canister --amount NbICPTokens

2 - dfx identity --network ic set-wallet --force NewlyCreatedCyclesCanisterID

3 - dfx identity --network ic deploy-wallet canisterd

Step 2 is missing.

1 Like

Hmmm looks like this suspicious set-wallet command is the one that is unblocking the management-canister, see this: 403 error when I call the management canister

Exact. When the cyclesWallet is first created, the creators principal is not assigned as a controller. Somehow this is where the permission issue stems from. Fleek/Plu got this and even included the command in the faucet claim process…so i don’t get why Dfinity has not taken that into account in the tutorial. and so many people get stuck here. This should be a priority update with clear explanation if not include the assignement directly into the cycle creation process. This is a major showstopper for newcommers.


@chenyan @diegop the person(s) who wrote the code for the set-wallet command must know what is going on here.

Thanks for the heads up. Ill ping team

1 Like

I ran through the steps in the Network Quickstart Tutorial, and ended up with a functional wallet after doing so.

When I tried interjecting a step 2 (dfx identity set-wallet), I ended up with a wallet with no wasm, that I could neither deploy to, stop, nor delete.

dfx ledger create-canister requires a controller to be passed. Maybe this was not always the case.

This is what happened when I followed the linked tutorial:

$ dfx --identity mainnet identity get-principal       
$ dfx --identity mainnet ledger --network ic create-canister cjxsv-7ook7-vgkeq-5kaih-2e4u3-fg2to-miupt-fgrrn-dfpza-2vxa5-zae --amount 0.05
Transfer sent at BlockHeight: 904175
Canister created with id: "p3cxd-oiaaa-aaaai-aaueq-cai"
$ dfx --identity mainnet identity --network ic deploy-wallet p3cxd-oiaaa-aaaai-aaueq-cai
Creating a wallet canister on the ic network.
The wallet canister on the "ic" network for user "mainnet" is "p3cxd-oiaaa-aaaai-aaueq-cai"
$ dfx --identity mainnet wallet --network ic balance
1431548681986 cycles.
$ dfx --identity mainnet wallet --network ic controllers
$ dfx --identity mainnet identity --network ic get-wallet
1 Like

@ericswanson try to create a canister in the nns-frontend and then add the dfx controller as a controller and then use dfx to deploy a wallet onto it. See if you can get that to work without doing the set-wallet command (by the way it seems like it needs the set-wallet —force option).

Thank you for this! Forgot to assign it as well.


I’m trying to do the bootcamp pre-reqs and also ran into this error. I got free cycles from the faucet and used the given command to set-wallet. BTW, it seems the --no-wallet flag is no longer valid.

My wallet:
auchan@epsilon:~/ic-projects/hello$ dfx identity --network ic get-wallet

My canisters:
auchan@epsilon:~/ic-projects/hello$ more canister_ids.json
“hello”: {
“ic”: “q5ppe-zyaaa-aaaai-abtkq-cai”
“hello_assets”: {
“ic”: “qumey-pqaaa-aaaai-abtla-cai”

Deploy command and output:
auchan@epsilon:~/ic-projects/hello$ dfx deploy --network ic
Deploying all canisters.
Creating canisters…
Creating canister “hello”…
hello canister created on network “ic” with canister id: “q5ppe-zyaaa-aaaai-abtkq-cai”
Creating canister “hello_assets”…
hello_assets canister created on network “ic” with canister id: “qumey-pqaaa-aaaai-abtla-cai”
Building canisters…
Building frontend…
Installing canisters…
Installing code for canister hello, with canister_id q5ppe-zyaaa-aaaai-abtkq-cai
Error: The replica returned an HTTP Error: Http Error: status 403 Forbidden, content type “application/cbor”, content: Requested canister rejected the message

My wallet controllers:
auchan@epsilon:~/ic-projects/hello$ dfx wallet --network ic controllers

auchan@epsilon:~/ic-projects/hello$ dfx wallet --network ic balance
6899945090470 cycles.

My balance is 8T cycles lower due to the 2 deployed canisters above.

My canister controllers is my cycles wallet canister:
auchan@epsilon:~/ic-projects/hello$ dfx canister --network ic info q5ppe-zyaaa-aaaai-abtkq-cai
Controllers: qpjy5-viaaa-aaaai-abtjq-cai
Module hash: None
auchan@epsilon:~/ic-projects/hello$ dfx canister --network ic info qumey-pqaaa-aaaai-abtla-cai
Controllers: qpjy5-viaaa-aaaai-abtjq-cai
Module hash: None

My principal and ledger account ids:
auchan@epsilon:~/ic-projects/hello$ dfx identity get-principal

auchan@epsilon:~/ic-projects/hello$ dfx ledger account-id

So I believe I have a different error as my principal is the controller for my cycle wallet, and my cycle wallet is the controller for my canisters.

EDIT - turns out you need your principal to be the controller for all deployed canisters (cycle wallet as controller is not enough)

Follow the commands listed in the release notes to upgrade your wallet and set controller properly for all deployed canisters.

1 Like

i have a cycles wallet from 8.0 and i seem to be locked out after upgrading to 9.0

opa@zbox:~/ICP/ic-avatar$ dfx identity --network ic get-wallet
opa@zbox:~/ICP/ic-avatar$ dfx wallet --network ic upgrade
The replica returned an HTTP Error: Http Error: statuopa@zbox:~/ICP/ic-avatar$ dfx --identity default wallet --network ic controllers
The Replica returned an error: code 4, message: “Only a custodian can call this method.”

1 Like

A place to start is
dfx canister --network ic info $(dfx identity --network ic get-wallet)
to find out the controllers of your wallet, and
dfx identity get-principal

If the principal of your identity isn’t found among the controllers of the wallet, then determine if your wallet is controlled by another of your identities.

1 Like

opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx canister --network ic info $(dfx identity --network ic get-wallet)
Controllers: vrn7l-uocji-qfnzf-6xdsx-r33f2-qj7fd-ckbup-b4o52-azj6j-mazny-mqe
Module hash: 0xa609400f2576d1d6df72ce868b359fd08e1d68e58454ef17db2361d2f1c242a1
opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx identity list
default *
opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx identity get-principal
opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx identity use anonymous
Using identity: “anonymous”.
opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx identity get-principal
opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx identity use admin
Using identity: “admin”.
opa@zbox:~/proof_of_humanity_IC/ic-avatar$ dfx identity get-principal

all my identities now do not include the original identity/principal that was used to create the cycles wallet and several deployed apps originally.

i am able to use these new principals to create new projects… but i can not access any of my older projects/ ones i created with
Controllers: vrn7l-uocji-qfnzf-6xdsx-r33f2-qj7fd-ckbup-b4o52-azj6j-mazny-mqe
from above TIA

Any chance it was an nns identity? Or are you sure it was an identity that is now lost?