search

aliyun / terraform-provider-alicloud

Terraform AliCloud provider
https://www.terraform.io/docs/providers/alicloud/
Mozilla Public License 2.0
591 stars 553 forks source link

Terraform gives access denied but CLI works #1618

Closed Ghost---Shadow closed 5 years ago

Ghost---Shadow commented 5 years ago

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Terraform v0.12.7
+ provider.alicloud v1.55.1
+ provider.local v1.3.0
+ provider.template v2.1.2

Affected Resource(s)

Please list the resources as a list, for example:

Other resources like ECS and OSS are working fine

Panic Output

terraform refresh crashes and says that user does not have access

[ERROR] terraform-provider-alicloud/alicloud/service_alicloud_slb.go:100: Resource xxx DescribeVServerGroupAttribute Failed!!! [SDK alibaba-cloud-sdk-go ERROR]:
SDK.ServerError
ErrorCode: UserNotAllowed
Recommend:
RequestId: xxx
Message: The user is not allowed, please submit the application.
2019/08/30 10:41:54 [TRACE] [walkRefresh] Exiting eval tree: module.kubernetes.alicloud_slb_server_group.masters-group

aliyun cli works fine

aliyun slb DescribeVServerGroupAttribute --VServerGroupId xxx
{
    "BackendServers": {
        "BackendServer": [
            {
                "ServerId": "xxx",
                "Port": 6443,
                "Weight": 100,
                "Type": "ecs"
            },
            {
                "ServerId": "xxx",
                "Port": 6443,
                "Weight": 100,
                "Type": "ecs"
            },
            {
                "ServerId": "xxx",
                "Port": 6443,
                "Weight": 100,
                "Type": "ecs"
            }
        ]
    },
    "RequestId": "xxx",
    "VServerGroupId": "xxx",
    "LoadBalancerId": "xxx",
    "VServerGroupName": "xxx"
}

I think it is not assuming the right roles

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. Create root account 1
  2. Create RAM role 1 with admin access
  3. Create root account 2
  4. Create RAM user 2 and attach to RAM role 1
  5. Assume RAM role 1 by RAM user 2
  6. terraform init && terraform refresh

Important Factoids

This is my OSS backend config

  backend "oss" {
    encrypt             = true
    bucket              = "xxx"
    key                 = "xxx"
    region              = "ap-southeast-1"
    tablestore_endpoint = "xxx"
    tablestore_table    = "xxx"
    assume_role {
      role_arn = "<RAM role 1>"
   }
}

My SLB is in ap-southeast-3. Is that the problem?

xiaozhu36 commented 5 years ago

HI @Ghost---Shadow I think this issue is same with #1534 and now it has been fixed by 1.55.4. Please check it.

Ghost---Shadow commented 5 years ago

That seems to be fixed for SLB.

I have created two more tickets. https://github.com/terraform-providers/terraform-provider-alicloud/issues/1699 https://github.com/terraform-providers/terraform-provider-alicloud/issues/1700