Error: UNAUTHORIZED - Invalid token, audience

[piotrminkina]

Describe the bug
For unknown reasons, your provider is querying the API as anonymous. In my case this happens for a resource of type artifactory_user. The terraform plan command ends with this error for a single resource of type artifactory_user:

╷
│ Error: Unable to Refresh Resource
│ 
│   with artifactory_user.admin,
│   on security_users.tf line 17, in resource "artifactory_user" "admin":
│   17: resource "artifactory_user" "admin" {
│ 
│ An unexpected error occurred while attempting to refresh resource state.
│ Please retry the operation or report this issue to the provider developers.
│ 
│ Error: UNAUTHORIZED - Invalid token, audience

In the artifactory access log, I see that the provider queried these resources as anonymous, which does not happen with other requests to the API.

2024-11-21T15:41:12.808Z|30f5f52ed57c5919:752c17aed0abe7e5:4f255bd16c78e94a:0|10.0.4.133|anonymous|GET|/access/api/v2/users/admin|401|97|-1|5|jfrog/terraform-provider-artifactory/12.5.0
[...]
2024-11-21T15:41:12.774Z|7103c53779f25e7e|10.0.4.1|admin|GET|/api/system/version|200|-1|1043|3|jfrog/terraform-provider-artifactory/12.5.0
2024-11-21T15:41:12.777Z|6296967fdb63d851|10.0.4.1|admin|POST|/api/system/usage|200|133|0|1|jfrog/terraform-provider-artifactory/12.5.0
[...]
2024-11-21T15:41:12.799Z|6fc73505ec37ebb4|10.0.4.1|admin|GET|/api/repositories/npm-snapshot-local|200|-1|1786|2|jfrog/terraform-provider-artifactory/12.5.0
2024-11-21T15:41:12.803Z|e8c8ad898f1377e3|10.0.4.1|admin|GET|/api/security/keypair/artifactory-rsa|200|-1|590|5|jfrog/terraform-provider-artifactory/12.5.0
[...]
2024-11-21T15:41:12.807Z|4439e0b99e3b275e|10.0.4.1|admin|GET|/api/repositories/helm-snapshot-local|200|-1|1792|4|jfrog/terraform-provider-artifactory/12.5.0
[...]

This is an example configuration:

terraform {
  backend "http" {}
  required_version = "~> 1.9.8"
  required_providers {
    artifactory = {
      source  = "jfrog/artifactory"
      version = "~> 12.5.0"
    }
    platform = {
      source  = "jfrog/platform"
      version = "~> 1.18.0"
    }
  }
}

provider "artifactory" {
  url          = var.artifactory_url
  access_token = var.artifactory_access_token
}

provider "platform" {
  url          = var.artifactory_url
  access_token = var.artifactory_access_token
}

resource "artifactory_user" "admin" {
  name              = "admin"
  email             = "example.com"
  admin             = true
  disable_ui_access = false
}

Above resources are a part of Terraform State previously managed in Artifactory 7.47.10 by Terraform 1.2.9 and Provider 6.20.2.

Expected behavior
Manage artfactory_user resources properly :)

Additional context

• Artifactory 7.98.8
• Terraform 1.9.8 Linux AMD64 (same problem with 1.2.6)
• Provider 12.5.0 (There is no this particular bug in the versions of: 6.20.2, 6.37.0, 7.11.2, 8.9.1, 9.9.2, 10.2.0, 10.3.0, 10.3.1, but occurs in version 10.3.2, 10.3.3 and probably later versions)

[alexhung]

@piotrminkina Very odd. The provider uses the same HTTP client for all resources so the authentication should be the same. We have not seen this issue in our acceptance tests.

Can you verify this error still occurs when creating a new artifactory_user resource (vs a migrated state from previously version of the provider)?

[piotrminkina]

@alexhung No problems with a new resource. The problem is with the currently existing resource.

  # artifactory_user.new_admin will be created
  + resource "artifactory_user" "new_admin" {
      + admin                      = true
      + disable_ui_access          = false
      + email                      = "[email protected]"
      + id                         = (known after apply)
      + internal_password_disabled = false
      + name                       = "new_admin"
      + profile_updatable          = true
    }
[...]
╷
│ Error: Unable to Refresh Resource
│ 
│   with artifactory_user.admin,
│   on security_users.tf line 17, in resource "artifactory_user" "admin":
│   17: resource "artifactory_user" "admin" {
│ 
│ An unexpected error occurred while attempting to refresh resource state.
│ Please retry the operation or report this issue to the provider developers.
│ 
│ Error: 
│ 401 GET http://10-0-4-1.artifactory-l.sslip.io/access/api/v2/users/admin
│ {
│   "errors" : [ {
│     "code" : "UNAUTHORIZED",
│     "message" : "Invalid token, audience"
│   } ]
│ }
╵

Above results for the following code and version 10.3.2 of Artifactory provider:

resource "artifactory_user" "admin" {
  name              = "admin"
  email             = "[email protected]"
  admin             = true
  disable_ui_access = false
}

resource "artifactory_user" "new_admin" {
  name              = "new_admin"
  email             = "[email protected]"
  admin             = true
  disable_ui_access = false
}

[piotrminkina]

Strange problem. It also occurs when trying to create a resource of type artifactory_ldap_setting_v2, but the error occurs only during terraform apply, while artifactory_user already occurs when calling the terraform plan command.

│ Error: Unable to Create Resource
│ 
│   with artifactory_ldap_setting_v2.ldapkat_users,
│   on security_ldap.tf line 1, in resource "artifactory_ldap_setting_v2" "ldapkat_users":
│    1: resource "artifactory_ldap_setting_v2" "ldapkat_users" {
│ 
│ An unexpected error occurred while creating the resource update request.
│ Please report this issue to the provider developers.
│ 
│ Error: 
│ 401 POST
│ http://10-0-4-1.artifactory-l.sslip.io/access/api/v1/ldap/settings/
│ {
│   "errors" : [ {
│     "code" : "UNAUTHORIZED",
│     "message" : "Invalid token, audience"
│   } ]
│ }
╵

With the following access log entry:

2024-11-22T16:06:21.411Z|4ab6f17c94de278c:587a5838f4e4d6d5:1629b8df1a2270b8:0|10.0.4.133|anonymous|POST|/access/api/v1/ldap/settings/|401|97|508|28|jfrog/terraform-provider-artifactory/10.3.1

In the previous configuration, I was using resource type artifactory_ldap_setting, but after upgrading Artifactory to version 7.98.8 from version 7.47.10 and the provider to version 12.5.0 from version 6.20.2, the terraform plan command started showing me the following message:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:

  # artifactory_ldap_setting.ldapkat_users has been deleted
  - resource "artifactory_ldap_setting" "ldapkat_users" {
        id                           = "ldapkat-users"
      - key                          = "ldapkat-users" -> null
        # (13 unchanged attributes hidden)
    }


Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

At this point, I decided to manually remove the LDAP configuration from the Artifactory admin panel. I removed the configuration for users and groups. I then ran terraform plan and terraform apply, but the same error still occurs when trying to apply LDAP settings.

[alexhung]

@piotrminkina I think this may be related to the bug in the HTTP client we use. There's a patch out yesterday so I'll see if updating to the latest, patched version will resolve this issue.

[alexhung]

@piotrminkina I've just released v12.5.1. Let me know if you still experiencing this issue.

[piotrminkina]

@alexhung After updating the provider to version 12.5.1, unfortunately, the problem persists. I do not see any improvement in the results of the terraform plan command. Still the artifactory_user resource sends requests to the Artifactory API as anonymous, while the other resources correctly query the API as admin.

I did some digging in the TRACE logs from the terraform plan and noticed a few tidbits (actually, what I noticed can also be seen in the access logs, but I didn't pay attention to it before).

Management of users and LDAP settings are done on the /access/api/ endpoint (which is what I have a problem with), while management of repositories, etc. is done on the /artifactory/api/ endpoint. This must have changed in version 10.3.2 of the provider, because since that version inclusive, I am experiencing this problem. For Terraform, I generate myself an access token by making a request to /ui/api/v1/system/security/token?services[]=artifactory. I used this token and made GET requests to Artifactory myself using CURL and the results are the same as in Terraform:

$ curl -H "Authorization: Bearer $(cat build/getAccessKey/token.txt)" http://10-0-4-1.artifactory-l.sslip.io/access/api/v2/users/admin

{
  "errors" : [ {
    "code" : "UNAUTHORIZED",
    "message" : "Invalid token, audience"
  } ]
}

$ curl -H "Authorization: Bearer $(cat build/getAccessKey/token.txt)" http://10-0-4-1.artifactory-l.sslip.io/artifactory/api/repositories/helm-release-local

{
  "key" : "helm-release-local",
  "packageType" : "helm",
[...]
}

It seems that the problem is not the Artifactory Provider, but the way I get the token from Artifactory. So I changed the script blindly by adding &services[]=access to the token request, and re-run the above query to /access/api/v2/users/admin and voila:

curl -H "Authorization: Bearer $(cat build/getAccessKey/token.txt)" http://10-0-4-1.artifactory-l.sslip.io/access/api/v2/users/admin
{
  "username" : "admin",
[...]
}

I'll be honest, I didn't expect that when requesting an Artifactory access token, I have to provide two service names. Even the Web UI of Artifactory gives the option to select only one service from the list, that is, no Access service in the list:

In any case, after generating the correct token terraform plan on the problematic steps already passes without problem, but the process ends with an error a little incomprehensible to me.

╷
│ Error: artifactory_permission_target deprecated. Use platform_permission instead
│ 
│   with artifactory_permission_target.anything,
│   on security_permissions.tf line 1, in resource "artifactory_permission_target" "anything":
│    1: resource "artifactory_permission_target" "anything" {
│ 
╵

If a feature is deprecated, it should still be available, but prepared to be extinguished. Here, however, the process ends with an error. Is this behavior intentional?

[alexhung]

For Terraform, I generate myself an access token by making a request to /ui/api/v1/system/security/token?services[]=artifactory

@piotrminkina This is not a recommended practice to use UI API. They are not public and thus there is no guarantees to be stable. If you wish to generate an access token using REST API, you should use the Access API: https://jfrog.com/help/r/jfrog-rest-apis/create-token This API allows you to generate access token with varying scopes and audiences.

As for artifactory_permission_target resource no longer available, it was deprecated earlier back in May this year with v10.3.1. Then when we increment the provider version to v12 in September, we removed the code per Terraform guideline. (Looks like I missed including this in the v12.0.0 changelog).

From your original message, it looks like you are upgrading from v6.20.2? If so, you may have missed/bypassed the deprecation period between May and September this year.

Regardless, you will need to migrate your permission target resources to the new platform_permission resource.

[piotrminkina]

@alexhung I apologize for the confusion as it appeared that the problem is in my environment. Thank you for your time and good advice. Regards.