[Bug] Retrieving RAM shared `aws_acmpca_certificate_authority` data source return error due to missing permission in `GetCertificateAuthorityCsr`

[chuajiesheng]

Terraform Core Version

1.2.9

AWS Provider Version

4.31.0

Affected Resource(s)

Affected data source: aws_acmpca_certificate_authority Resource is shared with me via RAM. The resource owner shared the resource using AWSRAMDefaultPermissionCertificateAuthority.

Expected Behavior

The data source should be populated without certificate_signing_request attribute. The attribute is not required for issuing certificates.

Actual Behavior

Returned error as the ACM PCA CA is shared without GetCertificateAuthorityCsr permission.

Relevant Error/Panic Output Snippet

│ Error: error reading ACM PCA Certificate Authority Certificate Signing Request: AccessDeniedException: User: arn:aws:sts::<my_account_id>:assumed-role/<RoleNameHere>/<id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<resource_owner_account_id>:certificate-authority/<id> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
│   status code: 400, request id: xxx-xxx-xxx-xxx-xxx
│ 
│   with data.aws_acmpca_certificate_authority.intermediate_pca,
│   on main.tf line 60, in data "aws_acmpca_certificate_authority" "intermediate_pca":
│   60: data "aws_acmpca_certificate_authority" "intermediate_pca" {
│ 

Terraform Configuration Files

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.0"
    }
  }
}

provider "aws" {
  region = "ap-southeast-1"
  default_tags {
  }
}

Steps to Reproduce

data "aws_acmpca_certificate_authority" "intermediate_pca" {
  arn = "arn:aws:acm-pca:ap-southeast-1:<resource_owner_account_id>:certificate-authority/<id>"
}

Debug Output

No response

Panic Output

No response

Important Factoids

How we create the CA chains and share the CA:

Account 1 contains a root ACM PCA CA. Account 2 contains a intermediate ACM PCA CA signed by Account 1 root ACM PCA CA. Account 2 shared ACM PCA CA with Account 3 via RAM. Account 3 attempts to read the ACM PCA CA via ARN and get an error.

How we access our accounts:

Account 0 contains all the users. When we want to access Account 3 to provision the resource, we used a role created in Account 3, that have a trust relationship with Account 0.

References

No response

Would you like to implement a fix?

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[chuajiesheng]

I am interested in working on this issue.

[chuajiesheng]

I would like to get some guidance on this. Is there any existing pattern in other data sources where similar things happen? This happens when the caller tries to retrieve a data source of a ACM PCA which is not owned by the caller account. The attribute certificate_signing_request is not available as it is not part of the permissions when sharing the resource.

Would it be sufficiently to not set the attribute in such a situation? Or should the caller be warned?

Debug logs:

2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: [DEBUG] Reading ACM PCA Certificate Authority Certificate Signing Request: {
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5:   CertificateAuthorityArn: "arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid>"
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: }
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: [DEBUG] [aws-sdk-go] DEBUG: Request acm-pca/GetCertificateAuthorityCsr Details:
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: ---[ REQUEST POST-SIGN ]-----------------------------
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: POST / HTTP/1.1
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Host: acm-pca.ap-southeast-1.amazonaws.com
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: User-Agent: APN/1.0 HashiCorp/1.0 Terraform/1.3.0 (+https://www.terraform.io) terraform-provider-aws/dev (+https://registry.terraform.io/providers/hashicorp/aws) aws-sdk-go/1.44.139 (go1.19.2; darwin; amd64)
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Content-Length: 132
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Authorization: AWS4-HMAC-SHA256 Credential=<access_key>/20221118/ap-southeast-1/acm-pca/aws4_request, SignedHeaders=content-length;content-type;host;x-amz-date;x-amz-security-token;x-amz-target, Signature=<signature>
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Content-Type: application/x-amz-json-1.1
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: X-Amz-Date: 20221118T111147Z
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: X-Amz-Security-Token: <token>
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: X-Amz-Target: ACMPrivateCA.GetCertificateAuthorityCsr
2022-11-18T19:11:47.352+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Accept-Encoding: gzip
2022-11-18T19:11:47.353+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: 
2022-11-18T19:11:47.353+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: {"CertificateAuthorityArn":"arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid>"}
2022-11-18T19:11:47.353+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: -----------------------------------------------------
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: [DEBUG] [aws-sdk-go] DEBUG: Response acm-pca/GetCertificateAuthorityCsr Details:
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: ---[ RESPONSE ]--------------------------------------
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: HTTP/2.0 400 Bad Request
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Content-Length: 407
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Content-Type: application/x-amz-json-1.1
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: Date: Fri, 18 Nov 2022 11:11:47 GMT
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: X-Amzn-Requestid: <request_id>
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: 
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: 
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: -----------------------------------------------------
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: [DEBUG] [aws-sdk-go] {"__type":"AccessDeniedException","Message":"User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action"}
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5: [DEBUG] [aws-sdk-go] DEBUG: Validate Response acm-pca/GetCertificateAuthorityCsr failed, attempt 0/25, error AccessDeniedException: User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
2022-11-18T19:11:47.433+0800 [DEBUG] provider.terraform-provider-aws_v4.40.0_x5:    status code: 400, request id: <request_id>
2022-11-18T19:11:47.433+0800 [ERROR] provider.terraform-provider-aws_v4.40.0_x5: Response contains error diagnostic: diagnostic_severity=ERROR diagnostic_summary="reading ACM PCA Certificate Authority Certificate Signing Request: AccessDeniedException: User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
    status code: 400, request id: <request_id>" tf_proto_version=5.3 tf_req_id=aff78e9b-bd9a-ab18-6702-f3feb04f109d @module=sdk.proto diagnostic_detail= tf_data_source_type=aws_acmpca_certificate_authority tf_provider_addr=registry.terraform.io/hashicorp/aws tf_rpc=ReadDataSource @caller=github.com/hashicorp/terraform-plugin-go@v0.14.1/tfprotov5/internal/diag/diagnostics.go:55 timestamp=2022-11-18T19:11:47.433+0800
2022-11-18T19:11:47.434+0800 [ERROR] vertex "data.aws_acmpca_certificate_authority.this" error: reading ACM PCA Certificate Authority Certificate Signing Request: AccessDeniedException: User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
    status code: 400, request id: <request_id>
2022-11-18T19:11:47.435+0800 [ERROR] vertex "data.aws_acmpca_certificate_authority.this" error: reading ACM PCA Certificate Authority Certificate Signing Request: AccessDeniedException: User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
    status code: 400, request id: <request_id>
2022-11-18T19:11:47.435+0800 [ERROR] vertex "data.aws_acmpca_certificate_authority.this (expand)" error: reading ACM PCA Certificate Authority Certificate Signing Request: AccessDeniedException: User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
    status code: 400, request id: <request_id>
2022-11-18T19:11:47.435+0800 [INFO]  backend/local: plan operation completed
╷
│ Error: reading ACM PCA Certificate Authority Certificate Signing Request: AccessDeniedException: User: arn:aws:sts::<sts_account_id>:assumed-role/<role_name>/<role_id> is not authorized to perform: acm-pca:GetCertificateAuthorityCsr on resource: arn:aws:acm-pca:ap-southeast-1:<account_id>:certificate-authority/<uuid> because no resource-based policy allows the acm-pca:GetCertificateAuthorityCsr action
│   status code: 400, request id: <request_id>
│ 
│   with data.aws_acmpca_certificate_authority.this,
│   on main.tf line 14, in data "aws_acmpca_certificate_authority" "this":
│   14: data "aws_acmpca_certificate_authority" "this" {
│ 
╵
2022-11-18T19:11:47.439+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2022-11-18T19:11:47.451+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/4.40.0/darwin_amd64/terraform-provider-aws_v4.40.0_x5 pid=18252
2022-11-18T19:11:47.451+0800 [DEBUG] provider: plugin exited

[ecoupal-believe]

Is there any workaround ? Any idea when it's gonna be fixed ?

[chuajiesheng]

Is there any workaround ? Any idea when it's gonna be fixed ?

There is no workaround that I know of. There is a PR raised. Need to wait on the maintainers it seems.

[greg-anetac]

My colleague posted a PR with the fix 2 weeks ago. Could we get some attention on it please?

[greg-anetac]

@nwsparks @chuajiesheng @gh-rayner please add a like to this PR to get the maintainer's attention for merging the fix