-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC provisioning errors : 403 error #27
Comments
👋 thanks for opening an issue! Created & replied to the 2nd issue (error) here: #28 Regarding the first one: I've got a quick question: is the end goal to create 2 role bindings: There could be a typo in CRNs so I'd suggest to use data sources instead of variables:
Let me know if that helps.
|
Thank you for the reply. The Cloud API key was created by me and I have the "OrganizationAdmin" role. Also, the cloud key/secret I am using, it has worked in other tf project where I used it to provision a service account with "CloudClusterAdmin" role. I used the data block as suggested above but still get the 403 error
|
@bluedog13 could you share your OrgID with |
Thank you. Have sent the email to the email shared above. Below is the rbac_crn that was generated from the data block to be substituted in the confluent_role_binding block.
|
@linouk23 - Thank you for helping resolve the issue. Below is the fixI was using
For the fix to work, the email had to be substituted with the user id for the email
The reason for using the email initially was, the confluent CLI does take email for principal. This behavior is different in the terraform provisioning
|
I am trying to grant DeveloperRead access to users. In my project setup I have
sa-cloudclusteradmin file creates a new service account with "CloudClusterAdmin" privileges.
Error-1
When I run the tf apply command for the first time I get the below error when assigning DeveloperRead. I have the confluent_cloud_api_key/secret defined in main.tf file. The error below - is it because it needs an account with "CloudClusterAdmin" privileges? If yes, how do I use them in the "confluent_role_binding" block?
However the same works when I use the confluent CLI "iam rbac role-binding create" command.
Error-2
Also, when I run the tf apply command again for the second time, I get an additional error for the CloudClusterAdmin account. Should it not skip creating the service account if it already exists?
I tried the below to assign the CloudClusterAdmin keys while provisioning..... but it did not work
Thanks.
The text was updated successfully, but these errors were encountered: