403 Forbidden error occurs when creating confluent_business_metadata_binding using schema with context.

[fanick]

I get this error when I try to create a confluent_business_metadata_binding of a schema with context

The following problems may be the cause of any confusing errors from downstream operations:

.crn_pattern: was cty.StringVal("crn://confluent.cloud/organization=8ac73ccb-5024-47af-aeec-7bb78b4d1300/environment=env-gny55r/schema-registry=lsrc-z3pp5y/subject=:.idea.ttfe.dev:idea.ttfe.fluxsimule.pubsub.dev-value"), but now cty.StringVal("crn://confluent.cloud/organization=8ac73ccb-5024-47af-aeec-7bb78b4d1300/environment=env-gny55r/schema-registry=lsrc-z3pp5y/subject=%3A.idea.ttfe.dev%3Aidea.ttfe.fluxsimule.pubsub.dev-value")

module.module_confluent_pools_rbac["schema_subject-idea-ttfe-fluxsimule-dev-iac-DeveloperRead-:.idea.ttfe.dev:idea.ttfe.fluxsimule.pubsub.dev-value"].confluent_role_binding.rbac: Creation complete after 1m31s [id=rb-e54gYl] ╷ │ Error: error creating Business Metadata Binding 403 Forbidden: User is denied operation POST on resource catalog/v1/entity/businessmetadata/ │ │ with module.module_client_schema_metadata[":.idea.ttfe.dev:idea.ttfe.fluxsimule.pubsub.dev-value"].confluent_business_metadata_binding.main, │ on modules/schema_metadata/main.tf line 33, in resource "confluent_business_metadata_binding" "main": │ 33: resource "confluent_business_metadata_binding" "main" { │ ╵ 2024-11-14T21:34:07.855Z [INFO] provider: plugin process exited: plugin=.terraform/providers/registry.terraform.io/confluentinc/confluent/2.9.0/linux_amd64/terraform-provider-confluent_2.9.0 id=143

Version: terraform-provider-confluent_2.9.0

Please replace "%3A" to ":" in subject name for terraform provider

[cryoshida]

Hi @fanick! IIUC, you are trying to create confluent_business_metadata_binding and encountered 403 issue.

I see that you are trying to use a principal with only DeveloperRead rolebinding to create business metadata (aka call POST /catalog/v1/entity/businessmetadata/). However, the access is insufficient to perform such action: https://docs.confluent.io/cloud/current/stream-governance/stream-catalog.html#access-control-rbac-for-sg-catalog

Please let us know if there is anything we can help with further.

[fanick]

Hi @cryoshida 1- cloud api key and secret associate to service account 2- SR api and key associate to the same service account 3- service acount have OrganizationAdmin role

im able to create metadata binding and tags binding on a schema with default context Ex: idea.ttfe.fluxsimule.pubsub.dev-value

When i add the contexte to schema like this :.mycontext:iidea.ttfe.fluxsimule.pubsub.dev-value i got this error

r creating Business Metadata Binding 403 Forbidden: User is denied operation POST on resource catalog/v1/entity/businessmetadata/ ╷ │ Error: error creating Business Metadata Binding 403 Forbidden: User is denied operation POST on resource catalog/v1/entity/businessmetadata/ │ │ with module.module_client_schema_metadata[":.mycontext:idea.ttfe.fluxsimule.pubsub.dev2-value"].confluent_business_metadata_binding.main, │ on modules/schema_metadata/main.tf line 33, in resource "confluent_business_metadata_binding" "main": │ 33: resource "confluent_business_metadata_binding" "main" {

[sajjadlateef]

I invite you to file a support case with Confluent Support, so that your organization's logs and service account/roles can be analyzed further.

[sajjadlateef]

Closing issue.