I’m trying to set up a new scoped token to replace a full-access token I previously used for deployment.
I get the following error on terraform plan
:
Error building Load Balancer forwarding rules - error:
&godo.ErrorResponse{Response:(*http.Response)(0xc0005e0f30),
Message:"You are not authorized to perform this operation", RequestID:"...", Attempts:0}
My token has all scopes enabled for the load_balancer (delete, update, read, create).
My Terraform looks like this:
resource "digitalocean_loadbalancer" "loadbalancer" {
name = "${var.project_name}-loadbalancer"
region = "${var.region}"
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = 80
target_protocol = "http"
}
forwarding_rule {
entry_port = 443
entry_protocol = "https"
target_port = 80
target_protocol = "http"
}
P.S I’m very happy that DO now has scoped tokens, this was my biggest problem with the platform until now.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Hi there,
Indeed, if you are creating a 443 forwarding rule, the certificate is a required option.
This is nicely visible in the UI but might be a bit abstracted in the Terraform docs:
I tried creating a Load balancer without the 443 forwarding rule and it works out of the box with only the load balancer token privileges:
resource "digitalocean_loadbalancer" "loadbalancer" {
name = "test-loadbalancer"
region = "nyc3"
forwarding_rule {
entry_port = 80
entry_protocol = "http"
target_port = 80
target_protocol = "http"
}
}
Hope that this helps!
Best,
Bobby
I played with setting wider scopes to see what Terraform is trying to do - an additional read scope on “certificate” got me to the next step.
I’m not sure why certificates are changing in my plan. I will update this answer once I understand it.
Edit: I needed read
on certificate
as well as the load_balancer
rules for the scoped token when deploying a Load Balancer with SSL termination. This is also true if there are no changes to be made.
Debugging step that helped - using a wider-access token first to see what Terraform was actually doing.
certificate_name
was missing from my Terraform but was set in my deployed infrastructure because I’d set it up and attached it outside Terraform.
certificate_name
seems to be an optional attribute in that it is possible to deploy a forwarding_rule without it, but a forwarding_rule that tries to do SSL termination will not work when deployed with no certificate_name.
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
Full documentation for every DigitalOcean product.
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.
New accounts only. By submitting your email you agree to our Privacy Policy
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.