Unable to use provider 1.1.6 w/o primary password auth method
vhatsura opened this issue · 6 comments
We're using OIDC auth method as primary auth method and authenticate our boundary provider in terraform using recovery_kms_hcl
configuration. After upgrading to 1.1.6 version, the setup stops working with arguing that we don't have password primary auth method.
Terraform Version
1.3.9
Affected Resource(s)
The entire provider
Terraform Configuration Files
provider "boundary" {
addr = var.boundary_address
recovery_kms_hcl = <<EOT
kms "awskms" {
purpose = "recovery"
key_id = "global_recovery"
region = "${var.region}"
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
kms_key_id = "${module.aws-kms.kms_boundary_recovery_key_id}"
}
EOT
}
Debug Output
Error: error looking up primary auth method for scope ID: 'global'. got 'amoidc_...' but the provider requires an auth method prefix of 'ampw'
│
│ with provider["registry.terraform.io/hashicorp/boundary"],
│ on providers.tf line 65, in provider "boundary":
│ 65: provider "boundary" {
│
Expected Behavior
The provider should works w/o errors
Actual Behavior
terraform apply
command failed with error provided above
If you remove the key_id
line from the awskms
config, does it start working?
It seems the boundary provider in terraform is trying to find the default auth_method_id when you are using recovery_kms_hcl
. Does it work when you explicitly pass in auth_method_id
value?
Example:
provider "boundary" {
addr = var.boundary_address
auth_method_id = "oidc_12345567" #update to OIDC or any auth method id
recovery_kms_hcl = <<EOT
kms "awskms" {
purpose = "recovery"
key_id = "global_recovery"
region = "${var.region}"
access_key = "${var.aws_access_key}"
secret_key = "${var.aws_secret_key}"
kms_key_id = "${module.aws-kms.kms_boundary_recovery_key_id}"
}
EOT
}
If you remove the
key_id
line from theawskms
config, does it start working?
unfortunately, it doesn't help
It seems the boundary provider in terraform is trying to find the default auth_method_id when you are using
recovery_kms_hcl
. Does it work when you explicitly pass inauth_method_id
value?Example:
provider "boundary" { addr = var.boundary_address auth_method_id = "oidc_12345567" #update to OIDC or any auth method id recovery_kms_hcl = <<EOT kms "awskms" { purpose = "recovery" key_id = "global_recovery" region = "${var.region}" access_key = "${var.aws_access_key}" secret_key = "${var.aws_secret_key}" kms_key_id = "${module.aws-kms.kms_boundary_recovery_key_id}" } EOT }
if I set auth_method_id
to oidc auth method, it works, but it doesn't make sense as auth method is not used at all because recovery_kms_hcl
has a priority overall other authentication approaches. I'd expect in case of recovery_kms_hcl
set, provider will not try to find default auth_method_id
as it's useless