Open xSAVIKx opened 3 months ago
Hey @xSAVIKx, thanks for reporting here and sorry you had issues with the provider.
Could you please verify that your client id secret and domain parameters are working by trying the pagerduty API directly: https://developer.pagerduty.com/docs/e518101fde5f3-obtaining-an-app-o-auth-token#about-app-oauth-tokens
It'd be helpful to know if this is an issue with the provider handling of the parameters or the API/ credentials.
It'd also be immensely helpful if you could try the terraform provider for pagerduty, which we use for the pulumi provider - do the Oauth App credentials work there?
Hey @VenelinMartinov.
I can confirm that I can execute the following request from the API docs:
curl -i --request POST \
https://identity.pagerduty.com/oauth/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=client_credentials" \
--data-urlencode "client_id={CLIENT_ID}" \
--data-urlencode "client_secret={CLIENT_SECRET}" \
--data-urlencode "scope=as_account-us.companysubdomain incidents.read services.read"
And I do get a success response:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jul 2024 12:59:40 GMT
Content-Type: application/json
Content-Length: 160
Connection: keep-alive
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0, private, must-revalidate
content-security-policy: frame-ancestors 'none'
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: 52049af3f027b5ffd827b7aa99a455dd
X-XSS-Protection: 1; mode=block
Set-Cookie: x_pd_oauth_trace_id=F-EqD9cxe8untIQCjG_C; Expires=Thu, 11 Jul 2024 13:04:40 GMT; Max-Age=300; Domain=eu.pagerduty.com; Path=/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: no-referrer-when-downgrade
Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
{"access_token":"<ACCESS_TOKEN>","scope":"as_account-us.<SUBDOMAIN> services.read","token_type":"bearer","expires_in":86400}
And I also can confirm that I can use returned scoped ACCESS TOKEN to e.g. read all available services using:
curl -i --request GET \
--url https://api.pagerduty.com/services \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <ACCESS_TOKEN>' \
--header 'Content-Type: application/json'
Unfortunately don't have a quick way to test terraform provider at the moment.
Thanks! Could I ask you to provider logs of the failed run? Here's instructions how to get them: https://www.pulumi.com/docs/support/troubleshooting/#verbose-logging
Please, make sure to scrub any secrets from the logs.
@VenelinMartinov I hit the same issue. My setup is a little different but trying to accomplish the same thing. Currently have the default provider for pagerduty disabled. Creating it via code (python) like so.
pagerduty_provider = pagerduty.Provider("pagerduty",
use_app_oauth_scoped_token=pagerduty.ProviderUseAppOauthScopedTokenArgs(
pd_client_id=os.environ["PAGERDUTY_CLIENT_ID"],
pd_client_secret=os.environ["PAGERDUTY_CLIENT_SECRET"],
pd_subdomain="vivodyne"
))
opts = pulumi.ResourceOptions(provider=pagerduty_provider)
I was able to collect logs see attached using this command TF_LOG=TRACE poetry run pulumi up --logtostderr --logflow -v=10 2> out2.txt
out2.txt
And spin up a terraform project using this very basic configuration
terraform {
required_providers {
pagerduty = {
source = "pagerduty/pagerduty"
version = "3.15.6"
}
}
}
provider "pagerduty" {
use_app_oauth_scoped_token {
pd_client_id = "<my client id>"
pd_subdomain = "<my subdomain>"
}
}
resource "pagerduty_team" "team" {
name = "ZenderTestTeamTF"
description = "This is a test team created using Terraform"
}
output "team_id" {
value = pagerduty_team.team.id
}
It ran a plan and apply with no issues. Logs from that if it helps are also attached. tf-out.txt
Looking at the pulumi log a little closer i do see this
I0927 11:34:09.445206 66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>I0927 11:34:09.445191 66747 muxer.go:153] [muxer] CheckConfig results do not agree on the 'useAppOauthScopedToken' property:
<{%reset%}>)
I0927 11:34:09.445217 66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}> server 0: "{\"pdClientId\":\"<my client id>\",\"pdClientSecret\":\"<my client secret>\",\"pdSubdomain\":\"<my subdomain>\"}"
<{%reset%}>)
I0927 11:34:09.445221 66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}> server 1: "{\"pdClientId\": \"<my client id>\", \"pdClientSecret\": \"<my client secret>\", \"pdSubdomain\": \"<my subdomain>\"}"
<{%reset%}>)
but the only difference between these 2 lines is space 🤔
Thank you for the updates, @zender-vivodyne - we'll be taking a look as soon as we can. 🙏
Describe what happened
I'm trying to set up PagerDuty using the provider and trying to authenticate using oAuth app clientID + secret + subdomain. Unfortunately when I try doing so I get the following error every time:
If I switch to token-based v2 auth everything works as expected.
Sample program
Pulumi.yaml:
Pulumi.pagerduty.yaml:
Log output
Diagnostics: pagerduty:index:User (devsUser): error: Cannot obtain plugin client: No valid credentials found for PagerDuty provider. Please see https://www.terraform.io/docs/providers/pagerduty/index.html for more information on providing credentials for this provider.
Affected Resource(s)
pagerduty:User
Output of
pulumi about
pulumi about CLI
Version 3.122.0 Go Version go1.22.4 Go Compiler gc
Plugins KIND NAME VERSION language yaml unknown
Host
OS ubuntu Version 22.04 Arch x86_64
This project is written in yaml
Current Stack: CURRENT_STACK
TYPE URN