resource "okta_app_oauth_api_scope" failed to grant application api scope: the API returned an error: Invalid session

[pjebastingit]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

3.24.0

Affected Resource(s)

Unable to grant OKTA API scopes to service app using private_key.

- resource "okta_app_oauth_api_scope" "OAuth" {
  app_id = okta_app_oauth.OAuth.id
  issuer = "https://<ORG>.oktapreview.com"
  scopes = ["okta.users.read", "okta.users.manage"]

}

Terraform Configuration Files

resource "okta_app_oauth_api_scope" "OAuth" {
  app_id = okta_app_oauth.OAuth.id
  issuer = "https://<ORG>.oktapreview.com"
  scopes = ["okta.users.read", "okta.users.manage"]

}
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

Debug Output

Terraform will perform the following actions:

  okta_app_oauth_api_scope.OAuth will be created

  + resource "okta_app_oauth_api_scope" "OAuth" {

      + app_id = "*******"

      + id     = (known after apply)

      + issuer = "[https://ORG URL.oktapreview.com"](https://urldefense.com/v3/__https://*22__;JQ!!PwKahg!5sjMYbNJS78BWjRMF6nxmRLKtS71oMOxC71DKvtrFQSPE1vMlaPi-e-_sZT7kvBDl0LhqhUIuzdE3xnjncWljT9PDGSF5ciD$)

      + scopes = [

          + "okta.users.manage",

          + "okta.users.read",

        ]

    }

 

Plan: 1 to add, 0 to change, 0 to destroy.

 

Do you want to perform these actions?

  Terraform will perform the actions described above.

  Only 'yes' will be accepted to approve.

 

  Enter a value: yes

 

okta_app_oauth_api_scope.OAuth: Creating...

╷

│ Error: failed to create application scope consent grant: failed to grant application api scope: the API returned an error: Invalid session

│

│   with okta_app_oauth_api_scope.OAuth,

│   on app_OAuth.tf line 30, in resource "okta_app_oauth_api_scope" "OAuth":

│   30: resource "okta_app_oauth_api_scope" "OAuth" {

│
<!---
Please provide a link to a GitHub Gist containing the complete debug output. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

To obtain the debug output, see the [Terraform documentation on debugging](https://www.terraform.io/docs/internals/debugging.html).
--->

Panic Output

Expected Behavior

Service app should have granted the OKTA API scopes (okta.users.read and okta.users.manage)

Actual Behavior

Please refer the debug output section.

╷

│ Error: failed to create application scope consent grant: failed to grant application api scope: the API returned an error: Invalid session

│

│   with okta_app_oauth_api_scope.OAuth,

│   on app_OAuth.tf line 30, in resource "okta_app_oauth_api_scope" "OAuth":

│   30: resource "okta_app_oauth_api_scope" "OAuth" {

Steps to Reproduce

1. terraform apply

Important Factoids

NO

References

• #0000

[monde]

@pjebastingit it looks like you aren't getting your config variables set up correctly for the client. This an error with accessing the API, not the API call or the implementation in the provider.

• https://developer.okta.com/docs/reference/error-codes/
• https://registry.terraform.io/providers/okta/okta/latest/docs#environment-variables
• https://stackoverflow.com/questions/27627631/okta-api-authn-always-returns-invalid-session