We have recently migrated our Genesys Cloud instance to enforce SAML SSO for all user logins. The migration was successful for the end-users, but our CI/CD pipelines are now failing during the Terraform initialization phase. The genesyscloud provider uses the Client Credentials grant type to authenticate via an OAuth application, which we expected to remain functional regardless of SSO settings.
However, when the pipeline runs terraform plan, the provider throws a 403 Forbidden error when attempting to fetch the initial token or validate the scope. The error log points to the /oauth/token endpoint.
Here is the relevant configuration in our main.tf:
terraform {
required_providers {
genesyscloud = {
source = "my纯cloud/geneyscloud"
version = "~> 1.0.0"
}
}
}
provider "genesyscloud" {
base_url = "https://api.mypurecloud.com"
client_id = var.genesys_client_id
client_secret = var.genesys_client_secret
grant_type = "client_credentials"
}
The variables are populated correctly from our secret manager. We verified the OAuth application exists and has the admin scope. The issue seems to be that the SAML enforcement is somehow blocking programmatic access or invalidating the client credentials flow.
Is there a specific configuration step required on the OAuth application side to whitelist it against the SAML policy? Or do we need to switch to a different grant type for CI/CD usage when SSO is active? We’ve checked the admin console settings but nothing stands out as obviously restricting API access.