403 Forbidden Access on confluent_role_binding for environment CRN

[JeffSBailey]

I'm trying to set a confluent_role_binding on a new user on an existing environment. I am using version 1.65.0.

resource "confluent_role_binding" "admin_users" { for_each = toset(var.environment_admin_users) role_name = "EnvironmentAdmin" crn_pattern = data.confluent_environment.env.resource_name principal = "User:${confluent_invitation.admin_users[each.value].id}" } Error: error creating Role Binding: 403 Forbidden: Forbidden Access

This happens when using terraform as service account with the OrganizationAdmin role.

[linouk23]

Thanks for creating the issue @JeffSBailey!

This happens when using terraform as service account with the OrganizationAdmin role.

That looks a bit surprising, could you double check that your Cloud API Key belongs to a SA with OrganizationAdmin role?

provider "confluent" {
  cloud_api_key    = var.confluent_cloud_api_key    # optionally use CONFLUENT_CLOUD_API_KEY env var
  cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}

You could also send your service account ID to klinou+github@confluent.io so we can verify its roles for you.

[JeffSBailey]

service account ID sent

[linouk23]

@JeffSBailey I believe we have identified the issue.

In short, your Cloud API Key / role binding / Service Account ID is accurate, but there's a typo in

principal = "User:${confluent_invitation.admin_users[each.value].id}"

as it results in

principal = "User:i-foobar`

instead of

principal = "User:u-foobar`

so you might want to use

principal = "User:${confluent_invitation.admin_users[each.value].user[0].id}"

instead.

Let us know if that helps!

[JeffSBailey]

Wow, thanks for the tip. I see in the docs that the id I was using was the invite ID, not the user ID. Your suggestion fixed my issue. One could still argue that a 403 is not the most helpful response but I can see why it is being returned.