search

SAP-samples / teched2024-XP280

From clicks to code: Managing your SAP BTP infrastructure with Terraform
Apache License 2.0
12 stars 12 forks source link

getting auth error, I have double checked username and password + env variables #40

Closed kstenbaek closed 4 days ago

kstenbaek commented 1 week ago

this is what I get when executing the plan

@kstenbaek ➜ /workspaces/teched2024-XP280/terraform_build (main) $ terraform plan -out=tfplan

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform planned the following actions, but then encountered a problem:

  # random_uuid.uuid will be created
  + resource "random_uuid" "uuid" {
      + id     = (known after apply)
      + result = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Error: unableToCreateClient
│ 
│   with provider["registry.terraform.io/sap/btp"],
│   on provider.tf line 12, in provider "btp":
│   12: provider "btp" {
│ 
│ Login failed. Check your credentials. [Status: 401; Correlation ID: 28e8daec-e445-e80c-acb6-7f34b7fe9a66]
╵
@kstenbaek ➜ /workspaces/teched2024-XP280/terraform_build (main) $
sapienz-kb commented 1 week ago

I have the same issue with a freshly created trial user, no MFA and using the P-number along with the password. I went over SAP Note 3085908, but that did not fix the issue.

lechnerc77 commented 1 week ago

@sapienz-kb @kstenbaek assuming the prerequisites of the SAP note are in place and your Universal ID user as well as your P/S User have the same password set, this might be caused by having several S/P-Users users attached to the Universal ID i.e. using the same email that you use for authentication when leveraging the Terraform provider. In this case you can directly use the S-User/P-User ID as username for authentication of the Terraform provider.

sapienz-kb commented 6 days ago

@lechnerc77 I had the same thought, but the issue occurred for me with a completely new, freshly created Universal ID, which only has a P-user assigned, and nothing else - no MFA either...

lechnerc77 commented 6 days ago

@sapienz-kb Can you cross-check if you can access your account with this user when using the BTP CLI. What could be a source of this error is a typo in the subdomain of the global account that you specify. And another question that helps to pin down the cause: the account is a regular SAP BTP account (trial or productive) not one of an SAP internal landscape, correct?

sapienz-kb commented 6 days ago

@lechnerc77 I've triple checked everything... I copy pasted the domain, and tried both with, and without the "-ga" in the end. I surrounded my password in the .env file with " - and I tried with single: ' as well. I logged out of my global account, and back in again with the password which is being rejected, so I know it's right. My password is obviously not "Password1!" - but it is no more complex than that either; so no funny characters which can only be entered by holding down Alt and typing the hex code for a whitespace character on the numeric keypad... It's a trial account, on US10.

lechnerc77 commented 6 days ago

Thinking out loud:

There are two more things we could try if you have the time and want to:

variable "username" {
  description = "BTP username"
  type        = string
  sensitive   = true

}

variable "password" {
  description = "BTP user password"
  type        = string
  sensitive   = true
}
provider "btp" {
  globalaccount = var.global_account
  username      = var.username
  password      = var.password
}

Do not add them to the terraform.tfvars file. Then execute a terraform plan. This will then interactively prompt you for the values of the username and password.

sapienz-kb commented 6 days ago

btp login from command line output:

>btp login
SAP BTP command line interface (client v2.64.0)

CLI server URL [https://cli.btp.cloud.sap]> 
Connecting to CLI server at https://cli.btp.cloud.sap...

Server certificate subject: CN=cli.btp.cloud.sap,O=SAP SE,L=Walldorf,ST=Baden-Württemberg,C=DE
Server certificate fingerprint: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

User> Pxxxxxxxxxxx (obviously replaced for security)
Password> Password1! (obviously also replaced)

Authentication successful

Current target:
xxxxxxxxtrial (global account, subdomain: xxxxxxxtrial-ga)

We stored your configuration file at: /Users/.........

Tips:
    Commands are executed in the target, unless specified otherwise using a parameter. To change the target, use 'btp target'.
    To provide feedback about the btp CLI, use 'btp feedback' to open our survey.

OK

Replacing in the user variables with the terraform variables.tf file, and provider.tf - gave the same result as without.

lechnerc77 commented 6 days ago

If the CLI works, but the Terraform provider even when explicitly entering it, is weird. I am running out of ideas what could be the root cause for that. You can give the SSO parameter a try with the Terraform provider to enable the login

kstenbaek commented 6 days ago

@sapienz-kb @kstenbaek assuming the prerequisites of the SAP note are in place and your Universal ID user as well as your P/S User have the same password set, this might be caused by having several S/P-Users users attached to the Universal ID i.e. using the same email that you use for authentication when leveraging the Terraform provider. In this case you can directly use the S-User/P-User ID as username for authentication of the Terraform provider.

@lechnerc77 FYI I succeeded logging in by following the instruction to login with s-user instead of universal id as described here: https://me.sap.com/notes/3085908

lechnerc77 commented 4 days ago

Status Quo: the second issue reported was due to an "!" at the end of the password. We will try to reproduce this and if we can add an issue for it in the Terraform provider repository to get it fixed.