Global service agency won't authorize FGS to write on OBS

[marcosdiasdev]

Terraform Version

Terraform v0.15.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/random v3.1.0
+ provider registry.terraform.io/huaweicloud/huaweicloud v1.25.0

Your version of Terraform is out of date! The latest version
is 0.15.5. You can update by downloading from https://www.terraform.io/downloads.html

Terraform Configuration Files

terraform {
  required_providers {
    huaweicloud = {
      source = "huaweicloud/huaweicloud"
      version = ">= 1.25.0"
    }
  }
}

resource "huaweicloud_obs_bucket" "bucket" {
  bucket = "test-bucket-35616271"
  acl    = "private"
}

resource "huaweicloud_identity_agency" "agency" {
  name                   = "fgs_obs_agency"
  description            = "Delegate OBS access to FGS"
  delegated_service_name = "op_svc_cff"
  domain_roles = [ "OBS OperateAccess" ]
}

resource "huaweicloud_fgs_function" "fgs" {
  name         = "test_fgs"
  app           = "default"
  description   = "Upload file to OBS"
  handler       = "index.handler"
  agency        = huaweicloud_identity_agency.agency.name
  memory_size   = 128
  timeout       = 3
  runtime       = "Node.js6.10"
  user_data     = jsonencode({ 
    bucket      = "test-bucket-35616271"
    obsAddress  = "obs.ap-southeast-1.myhuaweicloud.com"
    fileName    = "testfile"
  })
  code_type     = "inline"
  func_code     = <<EOF
const ObsClient = require('esdk-obs-nodejs');
const fs = require('fs');

exports.handler = function (event, context, callback) {
    const bucketName = context.getUserData('bucket');
    const saveFileName = context.getUserData('fileName');
    // To debug or print messages, use the log instance provided by FunctionGraph instead of the native print function.
    console.log('*** objBucket: ' + bucketName);
    console.log('*** fileName:' + saveFileName);

    // Obtains a temporary AK and SK. An agency is required to access IAM.
    const ak = context.getAccessKey();
    const sk = context.getSecretKey();
    if(!ak || !sk){
        console.log('Failed to access OBS because no temporary AK, SK, or token has been obtained. Please set an agency.');
        callback(JSON.stringify({ 'message' : 'Failed to access OBS because no temporary AK, SK, or token has been obtained. Please set an agency.'}), null);
        return;
    }

    // Uploads a file to a specified bucket.
    const tmpFile = '/tmp/test.txt';
    const obs_address = context.getUserData('obsAddress') || 'obs.cn-north-1.myhuaweicloud.com'; // Domain name of the OBS service. Use the default value.
    const obsClient =  new ObsClient({
        access_key_id: ak,
        secret_access_key: sk,
        server: obs_address
    });

    // Creates a local temporary file.
    fs.writeFile(tmpFile, 'Hello, FunctionGraph.', function(err) {
        if (err) {
            callback(err, null);
            return;
        }
        // Uploads the file.
        obsClient.putObject({
            Bucket: bucketName,
            Key: saveFileName,
            SourceFile: tmpFile
        }, (err, result) => {
            if (!err) {
            if (result.CommonMsg.Status === 200) {
                console.log('Status-->' + result.CommonMsg.Status + '. uploading file is OK!');
                // Upload succeeded
                callback(null, JSON.stringify(
                    {
                        "statusCode": 200,
                        "isBase64Encoded": false,
                        "headers": { 'Content-Type': 'application/json' },
                        "body": JSON.stringify({ message: 'Upload succeeded' })
                    })
                );
            } else {
                console.error('Error-->' + JSON.stringify(result));
                callback(JSON.stringify(result), null);
            }
        } else {
            callback(JSON.stringify(err), null);
        }
    });
    });
}
  EOF
}

resource "huaweicloud_api_gateway_group" "apig_group" {
  name        = "test_apig_group"
  description = "A test group"
}

resource "huaweicloud_api_gateway_api" "apig" {
  group_id                 = huaweicloud_api_gateway_group.apig_group.id
  name                     = "test_apig"
  description              = "A test apig"
  visibility               = 1
  auth_type                = "NONE"
  backend_type             = "FUNCTION"
  request_protocol         = "HTTPS"
  request_method           = "POST"
  request_uri              = "/upload"
  example_success_response = "{\"statusCode\":200,\"isBase64Encoded\":false,\"headers\":{},\"body\":\"\"}"
  function_backend {
    function_urn = replace(huaweicloud_fgs_function.fgs.id, ":latest", "")
    invocation_type = "sync"
    version = "latest"
  }
}

Expected Behavior

The test_fgs should upload a text file to OBS.

Actual Behavior

The test_fgs function can't upload to OBS and returns 'AccessDenied' code.

Steps to Reproduce

1. terraform init
2. terraform apply
3. Go to HC Console and publish the API test_apig created above.
4. Run any test on the test_fgs function created above.

Additional Context

The agency works as expected after some minutes if we just manually delete the agency permission and create it again in HC Console with the same settings: Policy/Role name = OBS OperateAccess, Project [Region] = Global service [Global].

[niuzhenguo]

@Jason-Zhang9309 please have a look at this！

[Jason-Zhang9309]

OK, I'm trying to reproduce the problem

[Lance52259]

Please try this (MOS role) @timarcosdias

resource "huaweicloud_identity_agency" "agency" {
  name                   = "fgs_obs_agency"
  delegated_service_name = "op_svc_cff"

  project_role {
    project = "MOS"
    roles = [
      "OBS OperateAccess",
    ]
  }
  domain_roles = [
    "OBS OperateAccess",
  ]
}

[ShiChangkuo]

@marcosdiasdev I'm going to close this issue because there are no updates for 20 days. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.