Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Super api keys do not work unless they are resaved in the ui #126

Closed
lingwooc opened this issue Apr 11, 2022 · 3 comments
Closed

Super api keys do not work unless they are resaved in the ui #126

lingwooc opened this issue Apr 11, 2022 · 3 comments

Comments

@lingwooc
Copy link

lingwooc commented Apr 11, 2022
edited
Loading

I'm not sure if this is an issue with this project or just fusionauth itself. This is with provider 0.1.67 and fusionauth 1.36.0.

If you create an api key like this:

resource "fusionauth_api_key" "key_name" {
  description = "some description"
  key         = xxxxxxxxxx
}

You will get an api key that does not work and always gives a 401. The fusionauth documentation suggests "An Empty permissions object mean that this is a super key that authorizes this key for all the endpoints." https://fusionauth.io/docs/v1/tech/apis/api-keys#create-an-api-key

If you request the api key using the api:

{
    "apiKey": {
        "id": "xxxxxxxxxxxxxxxx
        "insertInstant": 1000000000,
        "key": "xxxxxxxxxxxx",
        "keyManager": false,
        "lastUpdateInstant": 1000000000,
        "metaData": {
            "attributes": {
                "description": "xxxxxxxxxx"
            }
        },
        "permissions": {}
    }
}

The problem is the existance of the "permissions": {} key. If you edit the api key in the front end and resave (no changes) the "permissions": {} part disappears and the api key starts working.

Also the documentation is a bit mangled after about here permissions_endpoints
https://registry.terraform.io/providers/gpsinsight/fusionauth/latest/docs/resources/api_key
@lingwooc lingwooc mentioned this issue Apr 11, 2022
Open
@lingwooc
Copy link
Author

I think this is an issue from the fusion go client. I've added a bit more detail in the fusion-issues issue. In any case the documentation needs fettling, the notes in the source are closer to reality.

@Aaron-Ritter
Copy link

This issue is still valid with 0.1.103 in combination with fusionauth 1.49.2. I experience the exact same problem every time applying.

@TomKimber
Copy link
Collaborator

This specific issue has been resolved as part of the V0.2.0 release (https://github.com/FusionAuth/terraform-provider-fusionauth/releases/tag/v0.2.0) however there is still a need to resave manually via the UI in cases were you're creating "super API keys" unfortunately.

The reason for this is that the FusionAuth API does not allow for granting the Key Manager permission via the API, it must be done via the UI. The documentation says "For security purposes, the Key manager setting may be modified only using the administrative user interface or Kickstart. It can’t be changed using this API." (https://fusionauth.io/docs/apis/api-keys#the-key-manager-setting) In the Terraform provider this means that you can create a Super API Key but you'll receive a 401 on the subsequent plan/apply as without Key Manager enabled you're not able to subsequently retrieve/update the API Key you've created.

Without the ability to set Key Manager on create in the API, which will not be allowed due to the security implications, this one time UI step of granting Key Manager on the API Key will always be required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TomKimber @lingwooc @Aaron-Ritter