What custom token scopes do I need to set a loadbalancer forwarding_rule via terraform?

I’m trying to set up a new scoped token to replace a full-access token I previously used for deployment.

I get the following error on terraform plan:

Error building Load Balancer forwarding rules - error: 
Message:"You are not authorized to perform this operation", RequestID:"...", Attempts:0}

My token has all scopes enabled for the load_balancer (delete, update, read, create).

My Terraform looks like this:

resource "digitalocean_loadbalancer" "loadbalancer" {
  name = "${var.project_name}-loadbalancer"
  region = "${var.region}"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"

  forwarding_rule {
    entry_port = 443
    entry_protocol = "https"

    target_port = 80
    target_protocol = "http"

P.S I’m very happy that DO now has scoped tokens, this was my biggest problem with the platform until now.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
May 10, 2024
Accepted Answer

Hi there,

Indeed, if you are creating a 443 forwarding rule, the certificate is a required option.

This is nicely visible in the UI but might be a bit abstracted in the Terraform docs:

I tried creating a Load balancer without the 443 forwarding rule and it works out of the box with only the load balancer token privileges:

resource "digitalocean_loadbalancer" "loadbalancer" {
  name = "test-loadbalancer"
  region = "nyc3"

  forwarding_rule {
    entry_port = 80
    entry_protocol = "http"

    target_port = 80
    target_protocol = "http"


Hope that this helps!



I played with setting wider scopes to see what Terraform is trying to do - an additional read scope on “certificate” got me to the next step.

I’m not sure why certificates are changing in my plan. I will update this answer once I understand it.

Edit: I needed read on certificate as well as the load_balancer rules for the scoped token when deploying a Load Balancer with SSL termination. This is also true if there are no changes to be made.

Debugging step that helped - using a wider-access token first to see what Terraform was actually doing.

certificate_name was missing from my Terraform but was set in my deployed infrastructure because I’d set it up and attached it outside Terraform.

certificate_name seems to be an optional attribute in that it is possible to deploy a forwarding_rule without it, but a forwarding_rule that tries to do SSL termination will not work when deployed with no certificate_name.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel