How to access the client secret from a genesyscloud_oauth_client resource

Question

How to access the client secret from a genesyscloud_oauth_client resource

Closed this issue 9 months ago · 4 comments

Hi,

How does one get the client secret from a client credentials OAuth resource created with genesyscloud_oauth_client

It seems like a standard use-case but I can't find it documented anywhere. The secret seems to be exposed on the API at https://developer.genesys.cloud/devapps/api-explorer#get-api-v2-oauth-clients--clientId-

Many thanks

Answer 1 · 2024-02-16T13:03:30.000Z

Hi,

Terraform is used to create and manage resources, it is not intended to be used to extract read only data, in this case the client secret, from the created oauth client (or at least our provider is not). Cx as Code will manage your oauth clients but if you need to get the oauth secrets you will need to find the oauth client created by terraform in the UI or call GET /api/v2/oauth/clients/{clientId}.

If you need to get the id of oauth client you created you can use this command to read the resource's state

terraform state show genesyscloud_oauth_client.<resource_name>

I would also recommend installing our CLI tool, if you don't already have it. It can call our API's and is a helpful tool when using Cx as Code for situations like this.

Regards,
Declan

Answer 2 · 2024-02-16T13:15:44.000Z

Thanks @dginty4 but I thought it was pretty standard practice to expose properties of terraform resources to be used in properties of other resources.

Answer 3 · 2024-02-16T14:22:17.000Z

As far as I know the only properties we expose are those used to manage the resource, we don't expose read-only attributes. What is your use case for this? I'm not aware of any resources that reference the client secret.

Answer 4 · 2024-10-11T14:22:25.000Z

@tarlingovo is correct. The secret is exposed through this API endpoint:

I can see a use case for exposing the secret through Terraform. We're building a set of scripts to create several resources common to many of our customers. We're running these scripts via automated means, such as Azure DevOps pipelines and Terraform CLI. The resources include an OAuth client used for dedicated cloud functions, and the client uses client-credentials. I can get the id of this newly created client, but I can't access the secret from the Terraform block. That means I'll have to run a separate API command after the Terraform script to get the OAuth credentials and store them in my password repository.

If the genesyscloud_oauth_client exposed the secret so that I could define it in an output, then I would not need a second step. As a reminder, Terraform supports a sensitive flag to prevent the value from being logged:

output "oauth_client_secret" {
  description = "The Azure cloud-based resources OAuth Client Secret"
  value       = genesyscloud_oauth_client.app_cloud_functions.secret
  sensitive = true
}

I don't see much risk in exposing this property in the Terraform provider when it's already exposed in the API. Thanks for your consideration.