Could someone explain why genesyscloud_sip_trunk returns 403 Forbidden during terraform apply? Provider v1.12.0. Auth seems fine for other resources. The error points to missing telephony:trunk:write scope, but the org role has it. Link to SIP Trunk Docs mentions rate limits, but this is immediate. Running in Sydney region. Is this a known provider bug or scope propagation delay?
Ah, this is a recognized issue… The 403 error usually stems from the payload structure not matching the strict Genesys schema for intent definitions.
Cause:
The /v2/analytics/conversat…
Wait, hold on. But I see this pattern a lot with our scheduling API calls. If the org role has the scope, the issue is often the Service Account token configuration in Terraform.
Solution:
Check your genesyscloud provider block. Ensure you are using client_id and client_secret explicitly, not relying on environment variables that might be stale. Also, verify the Service Account actually has the Telephony Administrator role assigned directly, not just through a group membership that hasn’t propagated.
provider "genesyscloud" {
region = "sydney"
client_id = var.gc_client_id
client_secret = var.gc_client_secret
base_url = "https://api.genesys.cloud"
}
If the token is fresh, try adding a depends_on to the SIP trunk resource to ensure the underlying telephony provider is fully provisioned before the trunk attempts to bind. This usually happens because the backend service isn’t ready to accept the trunk registration even if the API auth succeeds.
Also, check the audit logs for the specific Service Account. Sometimes the rate limit error masks the real permission error. If the audit log shows a 403 immediately, it’s a scope issue. If it shows a 429 or 503, it’s a backend readiness issue.
Try rotating the token and re-running terraform plan. If it still fails, check the Service Account’s role assignments in the Admin UI. Make sure the role is active and not just pending approval. This usually fixes the immediate 403.
This looks like a scope propagation delay rather than a config error.
- Verify the service account has
telephony:trunk:writeexplicitly assigned, not just inherited. - Check if the region endpoint matches the token issuance region.
- Retry after 5 minutes if the role was just updated.
This looks like a scope propagation delay rather than a config error. Verify the service account has telephony:trunk:write explicitly assigned, not just inherited. Check SIP Trunk API docs for region-specific requirements.