When querying the new location GET API from cinder, we get the following trace in Cinder

Aug 16 01:46:41 ubuntu-VirtualBox cinder-volume[463186]: ERROR oslo_messaging.rpc.server cinder.exception.ImageNotAuthorized: Not authorized for image 97ae1a68-ae2a-4be7-b742-23c9cd4d57d3.

While debugging from glance side, turns out the policy check fails

> api_pol.get_locations()
(Pdb)
webob.exc.HTTPForbidden: You are not authorized to complete fetch_image_location action.
> /opt/stack/glance/glance/api/v2/images.py(1238)get_locations()
-> api_pol.get_locations()
(Pdb)
> /opt/stack/glance/glance/api/v2/images.py(1244)get_locations()
-> except exception.NotFound as e:
(Pdb)
> /opt/stack/glance/glance/api/v2/images.py(1246)get_locations()
-> except exception.Forbidden as e:
(Pdb)
-Return-
> /opt/stack/glance/glance/api/v2/images.py(1246)get_locations()->None
-> except exception.Forbidden as e:

Cinder is configured to use service token and it's visible in the request context as well

[service_user]
auth_strategy = keystone
send_service_user_token = True
memcached_servers = localhost:11211
cafile = /opt/stack/data/ca-bundle.pem
project_domain_name = Default
project_name = service
user_domain_name = Default
password = ******
username = cinder
auth_url = http://127.0.0.1/identity
interface = public
auth_type = password