terraform-provider-vcd icon indicating copy to clipboard operation
terraform-provider-vcd copied to clipboard

Published 20 hours ago verified publisher icon vmware

Invalid refresh token - minorErrorCode: invalid_grant

Open storbel opened this issue 2 years ago • 1 comments

Hello,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed. Terraform v1.2.8 on linux_amd64

  • provider registry.terraform.io/vmware/vcd v3.7.0

Affected Resource(s)

Please list the resources as a list, for example: provider vcd

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

terraform { required_providers { vcd = { source = "vmware/vcd" version = "3.7.0" } } }

provider "vcd" { user = "none" password = "none" auth_type = "api_token" api_token = var.api_token org = "xxxx" url = "https://xxxx/api" vdc = "xxxxx" max_retry_timeout = 30 allow_unverified_ssl = true logging = true }

Debug Output

https://gist.github.com/storbel/a1a47d4cb6cd641c9084928bba70aa8c

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

login to vcloud director api

Actual Behavior

[ERROR] vertex "provider["registry.terraform.io/vmware/vcd"]" error: something went wrong during authentication: minorErrorCode: invalid_grant - message: Invalid refresh token - error: invalid_grant - error_description: Invalid refresh token - : 400 Bad Request

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

terraform { required_providers { vcd = { source = "vmware/vcd" version = "3.7.0" } } }

provider "vcd" { user = "none" password = "none" auth_type = "api_token" api_token = var.api_token org = "xxxx" url = "https://xxxx/api" vdc = "xxxxx" max_retry_timeout = 30 allow_unverified_ssl = true logging = true }

  1. terraform init
  2. terraform plan

storbel avatar Aug 26 '22 05:08 storbel

Hi @storbel, Would it be possible for you to also attach the go-vcloud-director logs? (to see how, check here)

Meanwhile, maybe we can check:

  • Did the token work before?
  • Does the token belong to the configured org?
  • Was the token copypasted correctly?
  • Is the token expired?

adambarreiro avatar Aug 26 '22 08:08 adambarreiro

Hello,

Did anyone got a fix or work around fir this one? I am seeing the same error with the below config.

` terraform { required_providers { vcd = { source = "vmware/vcd" version = "3.10.0" } } }

provider "vcd" { user = "none" password = "none" auth_type = "api_token" api_token = "sometokenhere" org = "orghere" vdc = "vdchere" sysorg = "System" url = "https://cloud.someaddress.com/" allow_unverified_ssl = true } `

shabeebk avatar Sep 19 '23 05:09 shabeebk

Hi @shabeebk,

In your case, would it be possible for you to attach the go-vcloud-director logs? (to see how, check here)

Is the token working when used outside Terraform?

adambarreiro avatar Sep 19 '23 07:09 adambarreiro

Yes, getting the logs soon.

shabeebk avatar Sep 19 '23 07:09 shabeebk

2023/09/19 10:59:45 ### WILL SKIP THE FOLLOWING TAGS: [ovf:License] 2023/09/19 10:59:45 [DEBUG] Attempt authentication using API token 2023/09/19 10:59:45 [TRACE] Sending a POST request with 'Content-Type: x-www-form-urlencoded' header to endpoint https://cloud.changed_to_somdatacenter.domain/oauth/provider/token with expected response of type *types.ApiTokenRefresh 2023/09/19 10:59:45 -------------------------------------------------------------------------------- 2023/09/19 10:59:45 Request caller: vcd.providerConfigure-->vcd.(Config).Client-->vcd.ProviderAuthenticate-->govcd.(VCDClient).SetToken-->govcd.(VCDClient).GetBearerTokenFromApiToken-->govcd.(Client).getAccessToken-->govcd.(Client).OpenApiPostUrlEncoded-->govcd.(Client).newOpenApiRequest 2023/09/19 10:59:45 POST https://cloud.changed_to_somdatacenter.domain/oauth/provider/token 2023/09/19 10:59:45 -------------------------------------------------------------------------------- 2023/09/19 10:59:45 Req header: 2023/09/19 10:59:45 Content-Type: [application/x-www-form-urlencoded] 2023/09/19 10:59:45 User-Agent: [terraform-provider-vcd/v3.10.0 (darwin/arm64; isProvider:true)] 2023/09/19 10:59:45 Request data: [71] grant_type=refresh_token&refresh_token= 2023/09/19 10:59:47 ################################################################################ 2023/09/19 10:59:47 Response caller vcd.ProviderAuthenticate-->govcd.(*VCDClient).SetToken-->govcd.(*VCDClient).GetBearerTokenFromApiToken-->govcd.(*Client).getAccessToken-->govcd.(*Client).OpenApiPostUrlEncoded-->govcd.checkRespWithErrType-->govcd.ParseErr-->govcd.decodeBody 2023/09/19 10:59:47 Response status 400 Bad Request 2023/09/19 10:59:47 ################################################################################ 2023/09/19 10:59:47 Response header: 2023/09/19 10:59:47 Date: [Tue, 19 Sep 2023 07:59:47 GMT] 2023/09/19 10:59:47 X-Vmware-Vcloud-Request-Id: [753afc47-c370-43c6-b181-013010d78f3e] 2023/09/19 10:59:47 Content-Type: [application/json] 2023/09/19 10:59:47 Response text: [196] { "error": "invalid_grant", "error_description": "Invalid refresh token", "error_uri": null, "minorErrorCode": "invalid_grant", "message": "Invalid refresh token", "stackTrace": null } 2023/09/19 10:59:47 [DEBUG] Authentication using API token was UNSUCCESSFUL: error getting bearer token: error authorizing service account: error in HTTP POST request: invalid_grant - Invalid refresh token

shabeebk avatar Sep 19 '23 07:09 shabeebk

The most common causes for this error are:

  1. Incorrectly copied API token
  2. incorrectly pasted API token (i.e. missing one character or having extra ones)
  3. API token used in the wrong organization or user (i.e. a token created for organization X that is used in organization Y)

dataclouder avatar Sep 19 '23 08:09 dataclouder

Ok, by the way, how is it working when I do the same thing via the normal curl request. I am able to get a response when I do the postman with the same token.

POST https://cloud.changed_to_somdatacenter.domain/oauth/tenant/tenant_name/token Content-Type: application/x-www-form-urlencoded grant_type=refresh_token&refresh_token=the_same_token

And it fails if I try any of these config below. See the difference in the url.

terraform { required_providers { vcd = { source = "vmware/vcd" version = "3.10.0" } } } provider "vcd" { user = "none" password = "none" auth_type = "api_token" api_token = "the_same_token" sysorg = "System" url = "https://cloud.changed_to_somdatacenter.domain/oauth/tenant/tenant_name/token" allow_unverified_ssl = true logging = true }

terraform { required_providers { vcd = { source = "vmware/vcd" version = "3.10.0" } } } provider "vcd" { user = "none" password = "none" auth_type = "api_token" api_token = "the_same_token" sysorg = "System" url = "https://cloud.changed_to_somdatacenter.domain/api" allow_unverified_ssl = true logging = true }

shabeebk avatar Sep 19 '23 08:09 shabeebk

It seems that with curl you are connecting with tenant_name, while in Terraform you have Sysorg = "System". You should use Sysorg = "tenant_name"

dataclouder avatar Sep 19 '23 08:09 dataclouder

Ok, thanks. Let me try that.

shabeebk avatar Sep 19 '23 08:09 shabeebk

Looks like it worked. The documentation should be enhanced I guess🥲.

shabeebk avatar Sep 19 '23 09:09 shabeebk

The documentation is clear:

sysorg - (Optional; v2.0+) - Organization for user authentication. Can also be specified with the VCD_SYS_ORG environment variable.

dataclouder avatar Sep 19 '23 09:09 dataclouder