401 Unauthorised when creating privatelink endpoint

[FODavid]

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v1.5.2
on darwin_arm64
+ provider [registry.terraform.io/hashicorp/aws](http://registry.terraform.io/hashicorp/aws) v4.28.0
+ provider [registry.terraform.io/mongodb/mongodbatlas](http://registry.terraform.io/mongodb/mongodbatlas) v1.15.1

I am using a data source to get the API keys from AWS secret Manager and passing it to the mongodb atlas provider:

data "aws_secretsmanager_secret_version" "public_key" {
  secret_id = "arn:aws:secretsmanager:us-east-1:xxxxxxxx:secret:ce/vendor/bv/mongodb-atlas/private-endpoint-terraform-xxxxxx"
}

data "aws_secretsmanager_secret_version" "private_key" {
  secret_id = "arn:aws:secretsmanager:us-east-1:xxxxxxxx:secret:ce/vendor/bv/mongodb-atlas/private-endpoint-terraform-xxxxxx"
}

Terraform Configuration File

# providers.tf
terraform {
  required_version = "~> 1.0"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 4.28.0"
    }
    mongodbatlas = {
      source  = "mongodb/mongodbatlas"
      version = "1.15.1"
    }
  }

  provider "mongodbatlas" {
    public_key = data.aws_secretsmanager_secret_version.public_key.secret_string
    private_key  = data.aws_secretsmanager_secret_version.private_key.secret_string
  }

I am getting this error when I run Terraform apply

Error

module.mongodb_endpoint["0"].mongodbatlas_privatelink_endpoint_serverless.this[0]: Creating...
╷
│ Error: error adding MongoDB Serverless PrivateLink Endpoint Connection(): https://cloud.mongodb.com/api/atlas/v2/groups/xxxxxxx/privateEndpoint/serverless/instance/auto-provisioning-prod/endpoint POST: HTTP 401 Unauthorized (Error code: "") Detail: You are not authorized for this resource. Reason: Unauthorized. Params: []
│ 
│   with module.mongodb_endpoint["0"].mongodbatlas_privatelink_endpoint_serverless.this[0],
│   on ../../../../modules/auto-provisioning/mongodb_privatelink/endpoint/[main.tf](http://main.tf/) line 1, in resource "mongodbatlas_privatelink_endpoint_serverless" "this":
│    1: resource "mongodbatlas_privatelink_endpoint_serverless" "this" {
│ 
╵

The API key I'm using has all permissions at the Organization level and all permissions at the Project level. I tried using a curl command with the API keys and I see sucessfully API result.

Using it in my terraform configuration script doesn't work

[github-actions[bot]]

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

• Terraform configuration file used to reproduce the issue
• Terraform log files from the run where the issue occurred
• Terraform Atlas provider version used to reproduce the issue
• Terraform version used to reproduce the issue
• Confirmation if Terraform OSS, Terraform Cloud, or Terraform Enterprise deployment

The ticket CLOUDP-239098 was created for internal tracking.

[lantoli]

thanks @FODavid for opening the issue. I'm not sure you can reference data sources from provider info, so public_key and private_key might be empty.

Could you try to have directly your public and private key in provider block as strings so we can verify that that is not the issue?

are you also creating more resources? could you share your full Terraform files (with private data elicited)?

thanks.

[FODavid]

@lantoli

Actually, on a second look at the curl command(and I also tried this on POSTMAN to confirm), I see two HTTP responses, the first one is HTTP 401 and the second HTTP 200 for every curl command. for the postman it returns 401, which is the same reason Terraform is throwing this error.

curl --user "private_key:public_key" --digest \ 
       --header "Content-Type: application/json" \     
       --header "Accept: application/vnd.atlas.2023-02-01+json" \ 
       --include \ --request GET "https://cloud.mongodb.com/api/atlas/v2/groups" 

HTTP/2 401 
date: Thu, 21 Mar 2024 21:03:07 GMT 
www-authenticate: Digest realm="MMS Public API", domain="", nonce="/OdZCsuNgjWgP03O1SwmgxPmZfbIc1Bq", algorithm=MD5, qop="auth", stale=false 
content-type: application/json 
content-length: 106 
x-envoy-upstream-service-time: 3 
server: mdbws 

HTTP/2 200 
date: Thu, 21 Mar 2024 21:03:07 GMT 
strict-transport-security: max-age=31536000; includeSubdomains; 
referrer-policy: strict-origin-when-cross-origin 
x-permitted-cross-domain-policies: none 
x-content-type-options: nosniff 
x-mongodb-service-version: gitHash=f1122c3771f0d06e6b736fd8b8ca51f75c698175; versionString=v20240306 
content-type: application/vnd.atlas.2023-01-01+json;charset=utf-8 
x-frame-options: DENY 
vary: Accept-Encoding 
content-length: 5052 
x-envoy-upstream-service-time: 225 
server: mdbws

Why are we getting a 401 and then a 200. I believe this is the issue. I get a straight 401 in postman. I believe this is the same issue the Terraform struct is facing

[lantoli]

That's expected, it's the way Digest Authentication works, first an unauthenticated request is sent, and then you have to send an authenticated one with the nounce header.

can you please try to use strings in your keys?

thanks

[FODavid]

I would do that and revert

[github-actions[bot]]

This issue has gone 7 days without any activity and meets the project’s definition of "stale". This will be auto-closed if there is no new activity over the next 7 days. If the issue is still relevant and active, you can simply comment with a "bump" to keep it open, or add the label "not_stale". Thanks for keeping our repository healthy!