Error: error creating Role Binding: 403 Forbidden: Forbidden Access - Getting this error while creating rolebinding

[syydsohail]

Hi Team,

Error: error creating Role Binding: 403 Forbidden: Forbidden Access

Getting this error while assigning the role to the service account using terraform. Tried with Cloud API key and Secret created for the service account and the Cloud API key and Secret we use for our deployments.

Created Service account and API key using different terraform code.

Code

terraform { required_providers { confluent = { source = "confluentinc/confluent" version = "1.61.0" } } }

provider "confluent" { alias = "cloud" cloud_api_key = var.confluent_cloud_api_key cloud_api_secret = var.confluent_cloud_api_secret kafka_id = var.kafka_id }

resource "confluent_role_binding" "AWS-Test-cluster-admin" { provider = confluent.cloud principal = "User:sa-oxxxxx" role_name = "CloudClusterAdmin" crn_pattern = "crn://confluent.cloud/organization=${var.azure_subscription}/environment=${var.kafka_environment_id}/cloud-cluster=${var.kafka_id}/kafka=${var.kafka_id}" }

Added alias = "cloud" and provider = confluent.cloud as per suggestion on one of similar issue (https://github.com/confluentinc/terraform-provider-confluent/issues/314). Without this also getting same error.

Please do let me know if you need more information from my end.

Kind Regards, Sohail

[syydsohail]

crn_pattern = "crn://confluent.cloud/organization=178**/environment=env-z*/cloud-cluster=lkc-j***/kafka=lkc-j"

Even if I provide crn this way, still it is throwing same error "Error: error creating Role Binding: 403 Forbidden: Forbidden Access"

Can someone please suggest the necessary changes to avoid this.

Kind Regards, Sohail

[linouk23]

@syydsohail thanks for creating the issue!

Could you confirm whether the owner (service account / user) of your Cloud API Key:

cloud_api_key = var.confluent_cloud_api_key
cloud_api_secret = var.confluent_cloud_api_secret

has OrganizationAdmin role or something?

A 403 error usually means there are insufficient permissions to perform a desired operation.

Looking at https://registry.terraform.io/providers/confluentinc/confluent/latest/docs/guides/sample-project might help too.

Thank you!

[syydsohail]

Hi @linouk23,

Thank you for the response. The owner of Cloud API Key is user and it has OrganizationAdmin role assigned.

Do we need any Service Account to own Cloud API Key instead of User?

Kind Regards, Sohail

[linouk23]

@syydsohail thanks for sharing this screenshot!

I took another look at the issue, and I think the problem is with the value of your crn_pattern (403 is effectively 404 in this scenario):

crn_pattern = "crn://confluent.cloud/organization=${var.azure_subscription}/environment=${var.kafka_environment_id}/cloud-cluster=${var.kafka_id}/kafka=${var.kafka_id}"

You should be able to find your Confluent Organization ID on https://confluent.cloud/settings/billing/payment or via https://registry.terraform.io/providers/confluentinc/confluent/latest/docs/data-sources/confluent_organization. In other words, it's Confluent Organization ID and not Azure Subscription ID.

[syydsohail]

@linouk23,

Thank you for pointing out the mistake, but now I am getting below error.

Error: error creating Role Binding: 400 Bad Request: No role CloudClusterAdmin for resource type Cluster at scope Scope(path='[organization=dae1****, environment=env-z, cloud-cluster=lkc-j', clusters='{kafka-cluster=lkc-j*****}')

Kind Regards, Sohail

[linouk23]

That looks exciting @syydsohail!

Now, let's replace:

resource "confluent_role_binding" "AWS-Test-cluster-admin" {
  provider = confluent.cloud
  principal = "User:[sa-oxxxxx](https://confluentinc.atlassian.net/browse/SA-oxxxxx)"
  role_name = "CloudClusterAdmin"
  crn_pattern = "crn://confluent.cloud/organization=${var.azure_subscription}/environment=${var.kafka_environment_id}/cloud-cluster=${var.kafka_id}/kafka=${var.kafka_id}"
}

with

data "confluent_kafka_cluster" "main" {
  provider = confluent.cloud
  id =  var.kafka_id
  environment {
       id = var.kafka_environment_id
  } 
}

resource "confluent_role_binding" "AWS-Test-cluster-admin" {
    provider = confluent.cloud
    principal = "User:sa-oxxxxx"
    role_name = "CloudClusterAdmin"
    crn_pattern = data.confluent_kafka_cluster.main.rbac_crn
}

to mirror the example from the docs.

[syydsohail]

Hi @linouk23 ,

Thanks a lot for the suggestion, I am able to create the role binding.

Really appreciate your help and support on this one. Thank you!!

Kind Regards, Sohail