Can't create a Kubernetes cluster : insufficient permissions

[nlamirault]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.13.2

Affected Resource(s)

scaleway_k8s_cluster_beta

• scaleway_XXXX

Terraform Configuration Files

# Copy-paste the minimal (if possible) terraform configuration to reproduce the bug here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "scaleway_k8s_cluster_beta" "main" {
  name              = var.name
  region            = var.region
  description       = format("%s. Created by Terraform", var.description)
  version           = var.k8s_version
  cni               = var.cni
  enable_dashboard  = var.enable_dashboard
  ingress           = var.ingress
  tags              = var.tags
  feature_gates     = var.feature_gates
  admission_plugins = var.admission_plugins

  dynamic "autoscaler_config" {
    for_each = var.enable_cluster_autoscaler ? [1] : []

    content {
      disable_scale_down              = var.disable_scale_down
      scale_down_delay_after_add      = var.scale_down_delay_after_add
      scale_down_unneeded_time        = var.scale_down_unneeded_time
      estimator                       = var.estimator
      expander                        = var.expander
      ignore_daemonsets_utilization   = var.ignore_daemonsets_utilization
      balance_similar_node_groups     = var.balance_similar_node_groups
      expendable_pods_priority_cutoff = var.expendable_pods_priority_cutoff
    }
  }

  dynamic "auto_upgrade" {
    for_each = var.enable_auto_upgrade ? [1] : []

    content {
      enable                        = var.enable_auto_upgrade
      maintenance_window_start_hour = var.maintenance_window_start_hour
      maintenance_window_day        = var.maintenance_window_day
    }
  }

}

$ export SCW_ACCESS_KEY="..."
$ export SCW_SECRET_KEY="..."
$ export SCW_DEFAULT_ORGANIZATION_ID="..."

Debug Output

2020-10-03T17:21:27.894+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: {"organization_id":"xxxxxxxxxxxxxxx","name":"jarvis-kapsule","description":"Jarvis on Kubernetes. Created by Terraform","tags":["terraform","jarvis"],"version":"1.18.9","cni":"cilium","enable_dashboard":false,"ingress":"nginx","pools":null,"autoscaler_config":{"scale_down_disabled":null,"scale_down_delay_after_add":"5m","estimator":"binpacking","expander":"random","ignore_daemonsets_utilization":true,"balance_similar_node_groups":null,"expendable_pods_priority_cutoff":-10,"scale_down_unneeded_time":"10m"},"auto_upgrade":{"enable":true,"maintenance_window":{"start_hour":4,"day":"monday"}},"feature_gates":null,"admission_plugins":null}
2020-10-03T17:21:27.895+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: ---------------------------------------------------------
2020-10-03T17:21:27.895+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: 2020/10/03 17:21:27 [DEBUG] [DEBUG] POST https://api.scaleway.com/k8s/v1/regions/fr-par/clusters
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: 2020/10/03 17:21:28 [DEBUG] 
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: --------------- Scaleway SDK RESPONSE 2 : ---------------
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: HTTP/1.1 403 Forbidden
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Connection: close
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Content-Length: 79
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Content-Security-Policy: default-src 'none'; frame-ancestors 'none'
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Content-Type: application/json
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Date: Sat, 03 Oct 2020 15:21:27 GMT
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Server: Scaleway API-Gateway
2020-10-03T17:21:28.028+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: Strict-Transport-Security: max-age=63072000
2020-10-03T17:21:28.029+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: X-Content-Type-Options: nosniff
2020-10-03T17:21:28.029+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: X-Frame-Options: DENY
2020-10-03T17:21:28.029+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: X-Request-Id: eb9b4c27-764e-4ce4-a4c5-f086440d20ec
2020-10-03T17:21:28.029+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: 
2020-10-03T17:21:28.029+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: {"details":[],"message":"insufficient permissions","type":"permissions_denied"}
2020-10-03T17:21:28.029+0200 [DEBUG] plugin.terraform-provider-scaleway_v1.16.0: ----------------------------------------------------------
2020/10/03 17:21:28 [DEBUG] module.kapsule.scaleway_k8s_cluster_beta.main: apply errored, but we're indicating that via the Error pointer rather than returning it: scaleway-sdk-go: insufficient permissions: 
2020/10/03 17:21:28 [ERROR] eval: *terraform.EvalApplyPost, err: scaleway-sdk-go: insufficient permissions: 
2020/10/03 17:21:28 [ERROR] eval: *terraform.EvalSequence, err: scaleway-sdk-go: insufficient permissions: 

Error: scaleway-sdk-go: insufficient permissions: 

Panic Output

Expected Behavior

Create a cluster on Kapsule

Actual Behavior

An API Error.

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[Sh4d1]

Hello ! It looks more than an token issue rather than a Terraform issue. Could you call : curl https://account.scaleway.com/tokens/<access_key>/permissions -H 'x-auth-token: <secret_key>' and check the Kubernetes block ? You should have clusters:* and with your organization ID below ?

[Sh4d1]

I think you might use a token that is not bound to the project your are using (tokens are only valid on a single project)

[nlamirault]

OK. I've received

{"cluster:*": ["<PROJECT_ID>:*"]}

I replace the organizationID with the projectID into SCW_DEFAULT_ORGANIZATION_ID and it works.

[Sh4d1]

Yeah the SCW_DEFAULT_PROJECT_ID is working with k8s in terraform 1.17.0 which should be released begining of next week :) I'll close this then!

[Sh4d1]

@nlamirault 1.17.0 is released 😄

[andrew-s]

Came here for the same issue - SCW_DEFAULT_PROJECT_ID does nothing for k8s cluster creation, so I actually copy my SCW_DEFAULT_PROJECT_ID env var into SCW_DEFAULT_ORGANIZATION_ID and now it works.

This seems like a real mess since from the dashboard, my org and project ids are different yet in the SDK - they have to be the same for it to work and actually, you can't define just project id as if you're missing the SCW_DEFAULT_ORGANIZATION_ID the error returned is;

Error: scaleway-sdk-go: invalid argument(s): project_id is required, A Project ID is required

That's really misleading as what's actually missing is the org id that needs to be the project id .....

TF: 0.14.0 Scaleway SDK: 1.17.2

[Sh4d1]

@andrew-s yes, 1.17 is not fully project ready. It's a half ready release :( next major should be better!