Unable to grant a ServiceId membership to an access group from another Account

[chrisw-ibm]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/ibm-cloud/ibm v1.62.0

Affected Resource(s)

resource ibm_iam_access_group_members

Terraform Configuration Files

# Specify the required Terraform version for this configuration.
terraform {
  required_version = ">=1.0.0, <2.0"

  # Define the required providers and their sources.
  required_providers {
    ibm = {
      source = "IBM-Cloud/ibm"
    }
  }
}

# Declare a variable for the IBM Cloud API key.
variable "ibmcloud_api_key" {}

# Define the IBM provider configuration and set the API key from the variable.
provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
}

# Create an IBM IAM access group named "cloudability_access_group"
resource "ibm_iam_access_group" "access_group" {
  name = "MyAccessGroup"
}

# Create IAM access group members for the above defined group.
resource "ibm_iam_access_group_members" "access_group_member" {
  access_group_id = ibm_iam_access_group.access_group.id
  iam_service_ids = ["ServiceId-6bf7af4e-6f07-4894-ab72-ff539dfb951a"]
}

Note that the service id is a hardcoded string to a serviceId that is not within the same account.

Debug Output

ibm_iam_access_group_members.access_group_member: Creating...
ibm_iam_access_group_members.access_group_member: Still creating... [10s elapsed]
ibm_iam_access_group_members.access_group_member: Still creating... [20s elapsed]
╷
│ Error: ERROR] Error Getting Service Ids You are not authorized to use this API. {
│     "StatusCode": 403,
│     "Headers": {
│         "Akamai-Grn": [
│             "0.2e962a17.1707409122.6b9c6650"
│         ],
│         "Cache-Control": [
│             "no-cache, no-store, must-revalidate"
│         ],
│         "Connection": [
│             "keep-alive"
│         ],
│         "Content-Language": [
│             "en-US"
│         ],
│         "Content-Length": [
│             "461"
│         ],
│         "Content-Type": [
│             "application/json"
│         ],
│         "Date": [
│             "Thu, 08 Feb 2024 16:18:43 GMT"
│         ],
│         "Expires": [
│             "0"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Set-Cookie": [
│             
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "anE4ajk-ba9222f9bfff491ca3291cde4d7a2431"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "anE4ajk-ba9222f9bfff491ca3291cde4d7a2431"
│         ],
│         "X-Proxy-Upstream-Service-Time": [
│             "112"
│         ],
│         "X-Request-Id": [
│             "21b6e616-4128-4262-afa3-db77a56942a9"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "forbidden",
│                 "details": "Reason: Access check for action 'iam-identity.serviceid.get' for subject 'IBMid-0000000' for resource 'ServiceId-6bf7af4e-6f07-4894-ab72-ff539dfb951a' was denied due to lack of access policy. Outbound transaction id 'anE4ajk-ba9222f9bfff491ca3291cde4d7a2431-001'.",
│                 "message": "You are not authorized to use this API.",
│                 "message_code": "BXNIM0513E"
│             }
│         ],
│         "status_code": 403,
│         "trace": "anE4ajk-ba9222f9bfff491ca3291cde4d7a2431"
│     },
│     "RawResult": null
│ }
│
│
│   with ibm_iam_access_group_members.access_group_member,
│   on main.tf line 32, in resource "ibm_iam_access_group_members" "access_group_member":
│   32: resource "ibm_iam_access_group_members" "access_group_member" {

Panic Output

N/A

Expected Behavior

I should be able to add access to a service id that exists in another account. It is currently possible to do so via the API directly, but terraform blocks this by first trying to read the serviceId.

Example API request to create policy

curl -X PUT --location --header "Authorization: Bearer {ACCESS_TOKEN}" --header "Accept: application/json" --header "Content-Type: application/json" --data '{ "members": [ { "iam_id": "iam-ServiceId-6bf7af4e-6f07-4894-ab72-ff539dfb951a", "type": "service" } ] }' "https://iam.cloud.ibm.com/v2/groups/AccessGroupId-d7708df4-9be4-4462-80e4-837039e37db6/members"

Actual Behavior

I received an error : "Getting Service Ids You are not authorized to use this API"

Steps to Reproduce

Get an API_KEY with the right permisssions

1. terraform apply -var "ibmcloud_api_key={IBM_CLOUD_API_KEY}"

Important Factoids

No

This may be considered a bug or a feature request. Perhaps the we keep the existing behaviour but we provide the option in the terraform to disable the check to validate the service id

resource "ibm_iam_access_group_members" "access_group_member" {
  access_group_id = ibm_iam_access_group.access_group.id
  iam_service_ids = ["ServiceId-6bf7af4e-6f07-4894-ab72-ff539dfb951a"]
  validate_member_presence = false
}

References

• #0000

[paripooranan]

I too would be interested in something like this - but not sure if this is supported in IBM Cloud.
Right now, we assign service id to a trusted profile in another account, then use that to access resources. It works well but its a lot of extra steps