Can’t quite understand why the deployment pipeline fails with a 403 Forbidden error when provisioning custom security roles via the Genesys Cloud Terraform Provider. The service account used in GitHub Actions has Admin permissions. Standard user creation works fine. The issue isolates to genesyscloud_security_role resources.
Environment:
- Region: AU-1 BYOC
- Provider: HashiCorp Genesys Cloud v1.22.0
- Terraform: v1.5.7
- CI: GitHub Actions (ubuntu-latest)
The HCL definition is straightforward. It attempts to assign specific permissions to a new role. The API response indicates insufficient privileges, despite the token being valid for other admin operations.
hcl
resource "genesyscloud_security_role" "custom_analyst" {
name = "Custom Analyst Role"
description = "Role for custom analytics reporting access"
permission_ids = [
"analytics:report:view",
"analytics:report:export"
]
}
Error log from terraform apply:
Error: Error creating security role: 403 Forbidden
Response body: {"errors":[{"code":"forbidden","message":"Insufficient permissions to create security role"}]}
Checked the documentation regarding BYOC restrictions. It states:
“In BYOC environments, certain system roles and permissions are managed by the customer’s identity provider. Terraform operations on these resources may require specific scopes or elevated privileges beyond standard Admin rights.”
The service account is configured with the admin scope. Is there a specific permission set or scope required for role provisioning in AU-1 BYOC that is not covered by the standard admin role? Or is this a known limitation with the current provider version on this region?
Debug logs show the request hitting the correct endpoint /api/v2/security/roles. The token is refreshed successfully before the call. No network latency issues detected.
Any insights on the required permissions or a workaround for this 403 error during automated deployments would be appreciated. The manual UI creation of the role works without issues for the same user.