Closed JeffSBailey closed 6 months ago
Thanks for creating the issue @JeffSBailey!
This happens when using terraform as service account with the OrganizationAdmin role.
That looks a bit surprising, could you double check that your Cloud API Key belongs to a SA with OrganizationAdmin role?
provider "confluent" {
cloud_api_key = var.confluent_cloud_api_key # optionally use CONFLUENT_CLOUD_API_KEY env var
cloud_api_secret = var.confluent_cloud_api_secret # optionally use CONFLUENT_CLOUD_API_SECRET env var
}
You could also send your service account ID to klinou+github@confluent.io
so we can verify its roles for you.
service account ID sent
@JeffSBailey I believe we have identified the issue.
In short, your Cloud API Key / role binding / Service Account ID is accurate, but there's a typo in
principal = "User:${confluent_invitation.admin_users[each.value].id}"
as it results in
principal = "User:i-foobar`
instead of
principal = "User:u-foobar`
so you might want to use
principal = "User:${confluent_invitation.admin_users[each.value].user[0].id}"
instead.
Let us know if that helps!
Wow, thanks for the tip. I see in the docs that the id I was using was the invite ID, not the user ID. Your suggestion fixed my issue. One could still argue that a 403 is not the most helpful response but I can see why it is being returned.
I'm trying to set a confluent_role_binding on a new user on an existing environment. I am using version 1.65.0.
resource "confluent_role_binding" "admin_users" { for_each = toset(var.environment_admin_users) role_name = "EnvironmentAdmin" crn_pattern = data.confluent_environment.env.resource_name principal = "User:${confluent_invitation.admin_users[each.value].id}" } Error: error creating Role Binding: 403 Forbidden: Forbidden Access
This happens when using terraform as service account with the OrganizationAdmin role.