search

confluentinc / terraform-provider-confluent

Terraform Provider for Confluent
Apache License 2.0
31 stars 64 forks source link

Error validating Schema: error sending validation request: 401 Unauthorized with Service Account with EnvironmentAdmin role #406

Closed AlexisDaciuk closed 3 months ago

AlexisDaciuk commented 3 months ago

Hi,

Info

Terragrunt : 0.58.10 Terraform : 1.9.3 Confluent Provider : 1.81.0 Cluster type : Basic Cloud Provider : AWS Region : us-east-1 Environment Stream Governance Package : Essentials Environment Stream Governance Cloud Provider : AWS Environment Stream Governance Region : us-east-1

We are working towards creating all of our Confluent infrastructure with Terragrunt and Terraform, but I'm getting an 401 error when trying to create Avro Schemas

The terraform module creating the resources has the following code, I use a map as an input to create N amount of schemas but the credentials are the same for every schema in the environment

resource "confluent_schema" "this" {
  for_each = var.SCHEMA_DATA
  rest_endpoint = "${each.value["SCHEMA_REGISTRY_REST_ENDPOINT"]}"
  subject_name = "${each.value["NAME"]}"
  format = "${each.value["FORMAT"]}"
  schema = "${each.value["SCHEMA_DEFINITION"]}"
  hard_delete = "${each.value["HARD_DELETE"]}"
  recreate_on_update = "${each.value["RECREATE_ON_UPDATE"]}"
  schema_registry_cluster {
    id = "${each.value["SCHEMA_REGISTRY_ID"]}"
  }
  credentials {
    key    = "${var.SCHEMA_REGISTRY_API_KEY}"
    secret = "${var.SCHEMA_REGISTRY_API_SECRET}"
  }

  lifecycle {
    prevent_destroy = true
  }
}

Those credentials have EnvironmentalAdmin role in the Environment where this Cluster and Schema Registry is running and CloudClusterAdmin role in the Cluster that is running in that Environment

The terragrunt output is 

╷
│ Error: error validating Schema: error sending validation request: 401 Unauthorized: Unauthorized
│ 
│   with confluent_schema.this["schema_name_1"],
│   on resource_schemas.tf line 1, in resource "confluent_schema" "this":
│    1: resource "confluent_schema" "this" {
│ 
╵
╷
│ Error: error validating Schema: error sending validation request: 401 Unauthorized: Unauthorized
│ 
│   with confluent_schema.this["schema_name_2"],
│   on resource_schemas.tf line 1, in resource "confluent_schema" "this":
│    1: resource "confluent_schema" "this" {
│ 
╵

As far as I understand the user with both roles should be able to create a Schema, I am missing something?

Thanks Alex

linouk23 commented 3 months ago

Thanks for creating the issue @AlexisDaciuk!

Given that you can observe 401 error, could you verify that your SR API Keys are valid:

  credentials {
    key    = "${var.SCHEMA_REGISTRY_API_KEY}"
    secret = "${var.SCHEMA_REGISTRY_API_SECRET}"
  }

For example, you could try sending List supported schema types API request using your SR API Keys:

curl --request GET \
  --url https://psrc-00000.region.provider.confluent.cloud/schemas/types \
  --header 'Authorization: Basic REPLACE_BASIC_AUTH'

where REPLACE_BASIC_AUTH could be generated via

$ echo -n "{SR_API_KEY}:{SR_API_SECRET}" | base64

See more details in the Authentication section.

AlexisDaciuk commented 3 months ago

Hi,

Thanks for the fast response

Now I see my mistake, I thought that the same API Key used for the Cluster was valid for the Schema Registry, but I see that those are two different API Keys

Now I created another API Key with the Schema Registry as the Resource ID and it worked

Thanks