oAuth App Authentication Support is missing

[xSAVIKx]

Describe what happened

I'm trying to set up PagerDuty using the provider and trying to authenticate using oAuth app clientID + secret + subdomain. Unfortunately when I try doing so I get the following error every time:

    error: Cannot obtain plugin client:
    No valid credentials found for PagerDuty provider.
    Please see https://www.terraform.io/docs/providers/pagerduty/index.html
    for more information on providing credentials for this provider.

If I switch to token-based v2 auth everything works as expected.

Sample program

Pulumi.yaml:

name: service-trains
runtime: yaml
description: PagerDuty bug
resources:
  pdProvider:
    type: pulumi:providers:pagerduty
    properties:
#      token: ${pagerduty:token}
      useAppOauthScopedToken:
        pdClientId: ${pagerduty:clientId}
        pdClientSecret: ${pagerduty:clientSecret}
        pdSubdomain: ${pagerduty:subdomain}
    options:
      version: 4.13.2
  devsUser:
    type: pagerduty:User
    properties:
      email: [email protected]
      name: Dev Team
      description: Development team
      jobTitle: Devs
      role: limited_user
    options:
      provider: ${pdProvider}

Pulumi.pagerduty.yaml:

config:
  pagerduty:clientId:
    secure: some-secret
  pagerduty:clientSecret:
    secure: some-secret
  pagerduty:subdomain: some-sub-domain
  pagerduty:token:
    secure: some-secret
  pulumi:disable-default-providers:
    - "*"

Log output

Diagnostics:
pagerduty:index:User (devsUser):
error: Cannot obtain plugin client:
No valid credentials found for PagerDuty provider.
Please see https://www.terraform.io/docs/providers/pagerduty/index.html
for more information on providing credentials for this provider.

Affected Resource(s)

pagerduty:User

Output of pulumi about

pulumi about
CLI
Version 3.122.0
Go Version go1.22.4
Go Compiler gc

Plugins
KIND NAME VERSION
language yaml unknown

Host
OS ubuntu
Version 22.04
Arch x86_64

This project is written in yaml

Current Stack: CURRENT_STACK

TYPE URN

Found no pending operations associated with STACK

Backend
Name pulumi.com
URL https://app.pulumi.com/xSAVIKx
User xSAVIKx
Organizations
Token type personal

No dependencies found

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[VenelinMartinov]

Hey @xSAVIKx, thanks for reporting here and sorry you had issues with the provider.

Could you please verify that your client id secret and domain parameters are working by trying the pagerduty API directly: https://developer.pagerduty.com/docs/e518101fde5f3-obtaining-an-app-o-auth-token#about-app-oauth-tokens

It'd be helpful to know if this is an issue with the provider handling of the parameters or the API/ credentials.

It'd also be immensely helpful if you could try the terraform provider for pagerduty, which we use for the pulumi provider - do the Oauth App credentials work there?

[xSAVIKx]

Hey @VenelinMartinov.

I can confirm that I can execute the following request from the API docs:

curl -i --request POST \
  https://identity.pagerduty.com/oauth/token \
  --header "Content-Type: application/x-www-form-urlencoded" \
  --data-urlencode "grant_type=client_credentials" \
  --data-urlencode "client_id={CLIENT_ID}" \
  --data-urlencode "client_secret={CLIENT_SECRET}" \
  --data-urlencode "scope=as_account-us.companysubdomain incidents.read services.read"

And I do get a success response:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 11 Jul 2024 12:59:40 GMT
Content-Type: application/json
Content-Length: 160
Connection: keep-alive
Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0, private, must-revalidate
content-security-policy: frame-ancestors 'none'
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: 52049af3f027b5ffd827b7aa99a455dd
X-XSS-Protection: 1; mode=block
Set-Cookie: x_pd_oauth_trace_id=F-EqD9cxe8untIQCjG_C; Expires=Thu, 11 Jul 2024 13:04:40 GMT; Max-Age=300; Domain=eu.pagerduty.com; Path=/; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Referrer-Policy: no-referrer-when-downgrade
Feature-Policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'

{"access_token":"<ACCESS_TOKEN>","scope":"as_account-us.<SUBDOMAIN> services.read","token_type":"bearer","expires_in":86400}

And I also can confirm that I can use returned scoped ACCESS TOKEN to e.g. read all available services using:

curl -i --request GET \
  --url https://api.pagerduty.com/services \
  --header 'Accept: application/json' \
  --header 'Authorization: Bearer <ACCESS_TOKEN>' \
  --header 'Content-Type: application/json'

Unfortunately don't have a quick way to test terraform provider at the moment.

[VenelinMartinov]

Thanks! Could I ask you to provider logs of the failed run? Here's instructions how to get them: https://www.pulumi.com/docs/support/troubleshooting/#verbose-logging

Please, make sure to scrub any secrets from the logs.

[zender-vivodyne]

@VenelinMartinov I hit the same issue. My setup is a little different but trying to accomplish the same thing. Currently have the default provider for pagerduty disabled. Creating it via code (python) like so.

pagerduty_provider = pagerduty.Provider("pagerduty",
                use_app_oauth_scoped_token=pagerduty.ProviderUseAppOauthScopedTokenArgs(
                    pd_client_id=os.environ["PAGERDUTY_CLIENT_ID"],
                    pd_client_secret=os.environ["PAGERDUTY_CLIENT_SECRET"],
                    pd_subdomain="vivodyne"
                ))
    opts = pulumi.ResourceOptions(provider=pagerduty_provider)

I was able to collect logs see attached using this command TF_LOG=TRACE poetry run pulumi up --logtostderr --logflow -v=10 2> out2.txt out2.txt

And spin up a terraform project using this very basic configuration

terraform {
  required_providers {
    pagerduty = {
      source  = "pagerduty/pagerduty"
      version = "3.15.6"
    }
  }
}

provider "pagerduty" {
  use_app_oauth_scoped_token {
    pd_client_id = "<my client id>"
    pd_subdomain = "<my subdomain>"
  }
}

resource "pagerduty_team" "team" {
  name        = "ZenderTestTeamTF"
  description = "This is a test team created using Terraform"
}

output "team_id" {
  value = pagerduty_team.team.id
}

It ran a plan and apply with no issues. Logs from that if it helps are also attached.
tf-out.txt

[zender-vivodyne]

Looking at the pulumi log a little closer i do see this

I0927 11:34:09.445206   66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>I0927 11:34:09.445191   66747 muxer.go:153] [muxer] CheckConfig results do not agree on the 'useAppOauthScopedToken' property:
<{%reset%}>)
I0927 11:34:09.445217   66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>    server 0: "{\"pdClientId\":\"<my client id>\",\"pdClientSecret\":\"<my client secret>\",\"pdSubdomain\":\"<my subdomain>\"}"
<{%reset%}>)
I0927 11:34:09.445221   66680 eventsink.go:78] eventSink::Infoerr(<{%reset%}>    server 1: "{\"pdClientId\": \"<my client id>\", \"pdClientSecret\": \"<my client secret>\", \"pdSubdomain\": \"<my subdomain>\"}"
<{%reset%}>)

but the only difference between these 2 lines is space 🤔

[guineveresaenger]

Thank you for the updates, @zender-vivodyne - we'll be taking a look as soon as we can. 🙏