We recently enforced SAML SSO across our Genesys Cloud organization to meet security compliance. The change works fine for human users logging into the UI, but our Terraform CX-as-Code pipeline broke immediately after the switch. The provider relies on client credentials flow to authenticate API calls for resource provisioning.
The error occurs during the initial handshake when Terraform attempts to fetch an access token. We are using the standard genesyscloud provider with a service account. The logs show a 401 Unauthorized response from the /oauth/token endpoint. The response body indicates that the client credentials are invalid or the grant type is not supported for this client.
Here is the relevant configuration block in our Terraform file:
provider "genesyscloud" {
region = "us-east-1"
client_id = var.genesis_client_id
client_secret = var.genesis_client_secret
}
We verified that the OAuth client still exists and has the correct scopes. The SAML enforcement seems to have disabled the client credentials flow for this specific client, or perhaps we need to configure a different grant type. Is there a specific API call or Terraform resource required to whitelist the service account for programmatic access while keeping SAML active for human logins? We need to restore the CI/CD pipeline without reverting the SAML policy.