data "okta_user" requires more than read permissions

HoodChuang commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

terraform -v Terraform v1.3.4 on darwin_arm64

provider registry.terraform.io/okta/okta v3.42.0

Affected Resource(s)

okta_user

Terraform Configuration Files


data "okta_user" "example" {
  user_id = "00u1ipajktzXSsQtq5d7"
}

Debug Output

Error: failed to set user's roles: failed to get roles: the API returned an error: You do not have permission to perform the requested action │ │ with module.xyz.data.okta_user.example, │ on ../modules/abc/edf.tf line 19, in data "okta_user" "example": │ 19: data "okta_user" "example" {

Panic Output

N/A

Expected Behavior

The token used has a read permission to the users API. but it failed on terrform code. okta_user is just retrieve the user from Okta, not sure why the error message says "failed to set user's role". What's beyond of just retrieve the user?

In addition the following curl command returns me the user info, which verifies that the token has read permission curl \ -H "Authorization: SSWS *****" \ -H "Accept: application/json" \ -X GET "https://something.okta.com/api/v1/users/00u1ipajktzXSsQtq5d7"

Can this be done in the Admin UI?

Yes, but I would like to use terraform to manage it

Can this be done in the actual API call?

Yes

Actual Behavior

Steps to Reproduce

terraform init
terraform plan

monde commented 1 year ago

UPDATE: disregard the code references, master branch is v4.0.0

Hi @HoodChuang , the error is misleading. What is going on is the provider is unable to do a GET /api/v1/users/%v/roles to find the roles for the user, and then set those roles on the data source for reading.

https://github.com/okta/terraform-provider-okta/blob/master/okta/data_source_okta_user.go#L119-L121

Can you try using the skip_roles argument and see what happens? https://registry.terraform.io/providers/okta/okta/latest/docs/data-sources/user

monde commented 1 year ago

Actually, @duytiennguyen-okta pointed out that listing roles have been removed from the user data source and resources in v4.0.0 of the TF provider that was just released. I'm seeing that we don't have a data source equivalent to the resource user_admin_roles. I will add this to our backlog.

monde commented 1 year ago

Okta internal reference https://oktainc.atlassian.net/browse/OKTA-606421

HoodChuang commented 1 year ago

Thank you! that is very helpful.

On Tue, May 2, 2023 at 8:16 AM Mike Mondragon @.***> wrote:

Okta internal reference https://oktainc.atlassian.net/browse/OKTA-606421

— Reply to this email directly, view it on GitHub https://github.com/okta/terraform-provider-okta/issues/1541#issuecomment-1531659696, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVXQHLQMVZCX6VNSAOO7DLLXEEQM7ANCNFSM6AAAAAAXP2F6X4 . You are receiving this because you were mentioned.Message ID: @.***>

--

http://www.robinhood.com/

Chuang Wang

Staff Security Software Engineer

Menlo Park, CA

Don't copy, share, or use this email without permission. If you received it by accident, please let us know and then delete it right away.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

okta / terraform-provider-okta