Comments (5)
Thank you. Have sent the email to the email shared above.
Below is the rbac_crn that was generated from the data block to be substituted in the confluent_role_binding block.
crn_pattern = "crn://confluent.cloud/organization=98a3cce4-255d-4a56-8449-6dcbd65*****/environment=env-*****/cloud-cluster=lkc-*****/kafka=lkc-*****/topic=test*"
from terraform-provider-confluent.
@linouk23 - Thank you for helping resolve the issue.
Below is the fix
I was using
principal = "User:first.last@<company>.com"
For the fix to work, the email had to be substituted with the user id for the email
principal = "User:u-mv****"
The reason for using the email initially was, the confluent CLI does take email for principal. This behavior is different in the terraform provisioning
confluent iam rbac role-binding create \
--principal User:[email protected] \
--role DeveloperRead \
--kafka-cluster-id lkc-***** \
--environment env-***** \
--resource Topic:test \
--prefix
from terraform-provider-confluent.
👋 thanks for opening an issue!
Created & replied to the 2nd issue (error) here: #28
Regarding the first one:
Your Cloud API Key (var.confluent_cloud_api_key/var.confluent_cloud_api_secret
) should be owned by a principal with Org/Env/CloudClusterAdmin
roles to be able to grant CloudClusterAdmin
role.
I've got a quick question: is the end goal to create 2 role bindings: CloudClusterAdmin
and DeveloperRead
? I would expect that you run Terraform Provider with the Cloud API Key owned by OrgAdmin so 403
is a little bit surprising indeed.
There could be a typo in CRNs so I'd suggest to use data sources instead of variables:
data "confluent_kafka_cluster" "basic" {
id = "lkc-abc123"
environment {
id = "env-xyz456"
}
}
data "confluent_service_account" "example_using_name" {
display_name = "test_sa"
}
resource "confluent_role_binding" "first-last-topic-rb" {
principal = "User:${data.confluent_service_account.example_using_name.id}"
role_name = "DeveloperRead"
crn_pattern = "${data.confluent_kafka_cluster.basic.rbac_crn}/kafka=${data.confluent_kafka_cluster.basic.id}/group=test*"
}
Let me know if that helps.
I tried the below to assign the CloudClusterAdmin keys while provisioning..... but it did not work
That's expected, see docs/resources/confluent_role_binding for a list of supported arguments.
from terraform-provider-confluent.
Thank you for the reply.
The Cloud API key was created by me and I have the "OrganizationAdmin" role. Also, the cloud key/secret I am using, it has worked in other tf project where I used it to provision a service account with "CloudClusterAdmin" role.
I used the data block as suggested above but still get the 403 error
data "confluent_kafka_cluster" "non-prod" {
id = var.kafka_cluster_id
environment {
id = var.environment_id
}
}
resource "confluent_role_binding" "aleksandra-sarac-topic-rb" {
principal = "User:${var.user_first_last}"
role_name = "DeveloperRead"
crn_pattern = "${data.confluent_kafka_cluster.non-prod.rbac_crn}/kafka=${data.confluent_kafka_cluster.non-prod.id}/topic=test*""
}
-------------------
error creating Role Binding: 403 Forbidden: Forbidden Access
from terraform-provider-confluent.
@bluedog13 could you share your OrgID with [email protected]
and our backend team will take a look at it?
from terraform-provider-confluent.
Related Issues (20)
- confluent_schema_exporter: optional context_type must be set
- Want to set description field on topics and Protobuf schemas with TF HOT 3
- schema content is not updated in state file during refresh HOT 3
- PGP Keys are outdated HOT 1
- Error: All 4 schema_registry_api_key, schema_registry_api_secret, schema_registry_rest_endpoint, schema_registry_id attributes should be set or not set in the provider block at the same time HOT 1
- confluent_schema_exporter: automatically pause schema exporter for update HOT 3
- confluent_invitation resource is trying to create inviation as service account HOT 2
- Flink compute resource thinks it needs to be recreated HOT 4
- Configuring SSO strictly through Terraform seems to not work.
- Crate a dependency between SR ID and the SR endpoint to avoid errors when two or more clusters share the same endpoint
- CRUD operations of kafka_acl uses the APIKey in the credentials block instead of provider block HOT 3
- Is it possible to get Kafka `credentials` from `confluent_kafka_cluster`? HOT 1
- Stale resource due to terraform provider upgrade HOT 4
- Schema diff can match against an earlier version of the schema
- RBAC support for "DataDiscovery" in Terraform HOT 2
- Is it possible to set a topic schema within `confluent_kafka_topic`? HOT 1
- Incompatible schemas, and Client.Timeout while contacting schema registry corrupt tfstate file during apply HOT 2
- Creating and managing user groups HOT 2
- Feature request - support default values for topic config items after expert mode edit
- Upon mirror topic creation, have the option to not store credentials in the Terraform state file.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-confluent.