Setting up a CI/CD pipeline with GitHub Actions. Want terraform plan on PR and apply on merge. The plan step fails because the provider can’t authenticate.
Error: InvalidProviderConfiguration
The provider "nicecxone" requires a valid OAuth token.
The OIDC token from GitHub seems valid, but the nicecxone provider doesn’t support OIDC directly like AWS. How do I inject the token into the plan step securely without storing secrets in the repo? We’re using the official provider v1.2.
The NICE CXone Terraform provider doesn’t handle OIDC natively, so trying to pass a GitHub OIDC token directly into the provider config is going to fail. You need an intermediate step to exchange that token for a Genesys Cloud access token.
Here’s a working pattern using a GitHub Action to fetch the token before Terraform runs:
- name: Fetch Genesys Cloud Token
id: get-token
uses: genesyscloud/genesys-cloud-oidc-token-action@v1
with:
organizationId: ${{ secrets.GENESYS_ORG_ID }}
clientId: ${{ secrets.GENESYS_CLIENT_ID }}
clientSecret: ${{ secrets.GENESYS_CLIENT_SECRET }}
scopes: "admin:platform"
- name: Terraform Plan
env:
NICECXONE_OAUTH_TOKEN: ${{ steps.get-token.outputs.access_token }}
run: |
terraform init
terraform plan -out=tfplan
Make sure your GitHub secret GENESYS_CLIENT_SECRET is scoped correctly. The action handles the OAuth2 client credentials flow, so you just pipe the resulting token into the NICECXONE_OAUTH_TOKEN env var. This keeps the secret out of the Terraform state file.
One thing to watch for is token expiration. The default Genesys token lasts an hour, which is usually fine for a plan, but if your pipeline hangs, it’ll fail. You might want to add a retry logic or shorter timeout in your workflow.
Also, check that your client has the admin:platform scope. Without it, the token won’t have permission to read infrastructure resources, and the plan will error out with a 403 instead of an auth error. It’s a subtle difference that costs a lot of debugging time.