Error listing files from datastore using API Token as credentials

[Luquor]

Describe the bug Error listing files from a Cephfs datastore using API Token

To Reproduce Steps to reproduce the behavior:

1. Create a user with any role (Administrator in my case)
2. Create a file resource
3. Apply the configuration with the API token as credentials
4. See error

Minimal Terraform configuration that reproduces the issue. You should have create a resource user before, and give to it a role to control the maximum of things; I gave the Administrator role to my user.

terraform {
  required_providers {
    proxmox = {
      source  = "bpg/proxmox"
      version = "0.59.1"
    }
  }
}

provider "proxmox" {
  endpoint = var.endpoint
  api_token = var.api_token
  insecure = true
  tmp_dir  = "/var/tmp"
  ssh {
    agent    = true
    username = "root"
  }
}

resource "proxmox_virtual_environment_file" "user_data" {
  content_type = "snippets"
  datastore_id = "cephfs"
  node_name    = "rsh-proxmox01-t01"
  overwrite = true
  source_file {
    path      = "${path.module}/cloud-init/user-data.yaml"
    file_name = "user-data.yaml"
  }
}

Expected behavior After applying the configuration, there should be the following error:

Error: error listing files from datastore cephfs: received an HTTP 403 response - Reason: Permission check failed (/storage/cephfs, Datastore.Audit|Datastore.AllocateSpace)

  with proxmox_virtual_environment_file.user_data,
  on file.tf line 77, in resource "proxmox_virtual_environment_file" "user_data":
  77: resource "proxmox_virtual_environment_file" "user_data" {

• Single or clustered Proxmox: clustered
• Proxmox version: 8.2.4
• Provider version (ideally it should be the latest version): 0.59.1
• Terraform/OpenTofu version: 1.9.2
• OS (where you run Terraform/OpenTofu from): Ubuntu 20.04.6
• Debug logs (TF_LOG=DEBUG terraform apply): https://gist.github.com/Luquor/d5eaae14916174974fdec8550b32a620

[Luquor]

I have done further researches and tests:

• If I am creating this resource file by using the username and the password of the said user, it works fine
• If the resource file is created on another datastore (such as the default one called local) it doesn't work and give the same exact error but with the permission being about the said datastore (Reason: Permission check failed (/storage/local, Datastore.Audit|Datastore.AllocateSpace))

So this issue is not related to CephFS at all; it is more about API tokens' permissions. I created a custom role with all the permissions enabled for the user, so the permissions errors on Datastore.Audit/AllocateSpace is odd.

EDIT: I recreated my user but using CLI this time instead of creating it using Terraform, and there is no error, the instanciation of the resource file is working great. I give the following code block, maybe there are some error in the way I created my user

resource "proxmox_virtual_environment_user" "user" {
    user_id = "terraform@pve"
    password = "incrediblepassword"
    comment = "User managed by Terraform used to create token"  
    acl {
        path = "/"
        propagate = true
        role_id = "Administrator"
    }
}

resource "proxmox_virtual_environment_user_token" "token" {
    token_name = "terratoken"   
    user_id = proxmox_virtual_environment_user.user.user_id
}

output "token_value" {
    value = proxmox_virtual_environment_user_token.token.value
    sensitive =  true
}

EDIT²: I have try to create the user using the provider (same hcl code as before), but instead of creating the token with the provider, I created by hand. With that way it is working, so there might be something to dig down here.

[Luquor]

Ok I found the issue. When I created the user, I did not set the privileges_separations. So by default the API token had restricted privileges. Doesn't it makes more sense to implement this feature the other way around? Just like the behavior of Proxmox, where the privileges separation are false/deactivated by default.