Project Keys Can't Manage Spot Instances

[grahamc]

This is a general problem with Metal's API and how it handles authentication. However, it shows up in terraform too.

Using a project token, I can't request https://api.equinix.com/metal/v1/spot-market-requests/*:

2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/07 09:14:02 [DEBUG] Equinix Metal API Request Details:
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: ---[ REQUEST ]---------------------------------------
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: GET /metal/v1/spot-market-requests/xxx?include=project%2Cdevices%2Cfacilities HTTP/1.1
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Host: api.equinix.com
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: User-Agent: packngo/0.5.1
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Connection: close
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Accept: application/json
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Type: application/json
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Auth-Token: xxx
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Consumer-Token: xxx
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Accept-Encoding: gzip
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:
2021-01-07T09:14:02.052-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/07 09:14:02 [DEBUG] Equinix Metal API Response Details:
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: ---[ RESPONSE ]--------------------------------------
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: HTTP/1.1 403 Forbidden
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Connection: close
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Cache-Control: no-cache
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Type: application/json; charset=utf-8
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Date: Thu, 07 Jan 2021 14:14:02 GMT
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Server: nginx/1.19.0
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Set-Cookie: ak_bmsc=xxx; expires=Thu, 07 Jan 202
1 16:14:02 GMT; max-age=7200; path=/; domain=.equinix.com; HttpOnly
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Strict-Transport-Security: max-age=15724800; includeSubDomains
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Vary: Accept-Encoding
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Request-Id: 954ff24982214dbc22f7dbdfc3835b68
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:
2021-01-07T09:14:02.270-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: {
2021-01-07T09:14:02.271-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:  "errors": [
2021-01-07T09:14:02.271-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:   "Access denied for the current authentication token"
2021-01-07T09:14:02.271-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:  ]
2021-01-07T09:14:02.271-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: }

As a related issue, the debug log for this provider doesn't print the debug request logs errors in a way which correlates requests to responses. Here is an example:

2021-01-07T09:14:02.311-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/07 09:14:02 [DEBUG] GET https://api.equinix.com/metal/v1/devices/2225ea4e-5975-4fbd-992d-32ebc7141286?include=project%2Cfacility
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/07 09:14:02 [DEBUG] Equinix Metal API Request Details:
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: ---[ REQUEST ]---------------------------------------
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: GET /metal/v1/devices/2225ea4e-5975-4fbd-992d-32ebc7141286?include=project%2Cfacility HTTP/1.1
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Host: api.equinix.com
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: User-Agent: packngo/0.5.1
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Connection: close
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Accept: application/json
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Type: application/json
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Auth-Token: xxx
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Consumer-Token: xxx
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Accept-Encoding: gzip
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:
2021-01-07T09:14:02.315-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: 2021/01/07 09:14:02 [DEBUG] Equinix Metal API Response Details:
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: ---[ RESPONSE ]--------------------------------------
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: HTTP/1.1 403 Forbidden
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Connection: close
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Cache-Control: no-cache
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Content-Type: application/json; charset=utf-8
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Date: Thu, 07 Jan 2021 14:14:02 GMT
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Server: nginx/1.19.0
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Set-Cookie: ak_bmsc=xxx; expires=Thu, 07 Jan 202
1 16:14:02 GMT; max-age=7200; path=/; domain=.equinix.com; HttpOnly
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Strict-Transport-Security: max-age=15724800; includeSubDomains
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: Vary: Accept-Encoding
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: X-Request-Id: 1577e21c2b6d88a9e1bfd1027ac5e7e6
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: {
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:  "errors": [
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:   "Access denied for the current authentication token"
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0:  ]
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: }
2021-01-07T09:14:02.417-0500 [DEBUG] plugin.terraform-provider-metal_v1.0.0: -----------------------------------------------------

however this request does work, it is just that the printing happened to interlace two different requests.

Terraform Version

Terraform v0.12.29 with this provider at v1.0.0.

Affected Resource(s)

Please list the resources as a list, for example:

• metal_spot_market_request

and probably others like SSH keys.

Terraform Configuration Files

resource "metal_spot_market_request" "request" {
  project_id    = var.project_id
  max_bid_price = "1.0"
  facilities    = ["ams1", "sjc1", "dfw2", "nrt1", "ewr1"]
  devices_min   = 1
  devices_max   = 1

  instance_parameters {
    hostname         = "example"
    billing_cycle    = "hourly"
    operating_system = "custom_ipxe"
    always_pxe       = true
    plan             = "c1.large.arm"
    ipxe_script_url  = "https://netboot.gsc.io/hydra-aarch64-linux/netboot.ipxe"
    project_ssh_keys = []
    user_ssh_keys    = []
  }
}

Expected Behavior

Project keys should be allowed to manage a project's resources.

Actual Behavior

I get inscrutable error messages:

Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token
Error: Access denied for the current authentication token

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

[displague]

Thanks, @grahamc.

The capabilities of the project API keys are definitely inferior to those offered by user API keys. There are some internal tickets to improve their capabilities and the documentation about capability parity.

The logging output could be improved too, I've also experienced the mix of requests and responses. Some request specific identifier log message prefix could be helpful.

[displague]

@grahamc Were you able to create the SMR with the project API key and then you couldn't fetch the same SMR with that key? Or are you only looking for project API keys to have read access to SMR resources? (I'm wondering if this is a bug report, create but no read, or a feature request for read and write).