Failed to create SSO setting (403)

[vgelot]

Terraform Version

v1.5.3

Terraform Grafana Provider Version

4.5.3

Grafana Version

grafana/grafana:12.1.1 (Grafana OSS)

Affected Resource(s)

grafana_sso_settings

Terraform Configuration Files

resource "grafana_sso_settings" "this" {
  provider_name = "generic_oauth"
  oauth2_settings {
    name              = "keycloak"
    auth_url          = "https://KEYCLOAK_URL/auth"
    token_url         = "https://KEYCLOAK_URL/token"
    api_url           = "https://KEYCLOAK_URL/userinfo"
    client_id         = "CLIENT_ID"
    client_secret     = "CLIENT_SECRET"
    allow_sign_up     = true
    auto_login        = false
    scopes            = "openid profile email offline_access"
    use_pkce          = true
    use_refresh_token = true
  }
}

Expected Behavior

Be able to create the resource grafana_sso_settings

Actual Behavior

Hello,
Currently, when running the command, I get an error about permission issue

grafana_sso_settings.this: Creating...
╷
│ Error: failed to create the SSO settings for provider generic_oauth: [PUT /v1/sso-settings/{key}][403] updateProviderSettingsForbidden {"message":"You'll need additional permissions to perform this action. Permissions needed: settings:write"}
│ 
│   with grafana_sso_settings.this,
│   on main.tf line 109, in resource "grafana_sso_settings" "this":
│  109: resource "grafana_sso_settings" "this" {

Thanks

Steps to Reproduce

Create a service account with the role "Admin"
Add the permission "Admin" to the default user "admin"
Generate the token

terraform init
terraform plan
terraform appy

No issues with the same token to created others resources (datasources, folders and dashboards)

Important Factoids

No response

References

No response

[bendwyer]

Hi @vgelot, I had a similar error trying to setup SSO for Grafana Cloud via Cloudflare Access. I fixed it by creating a service account and token for Terraform in my Grafana stack (Administration -> Users and access -> Service accounts) and assigning it the following roles:

Settings:Authentication config writer
Settings:General authentication config writer

It’s possible that only one of these roles is needed, but I didn’t bother to test as I had already wasted a lot of time trying to get it working in the first place. Hope this helps.

[vgelot]

Thanks @bendwyer
But I don't have this kink of granularity in the Grafana OSS version
I can only choose viewer, editor or admin

I tested with the editor and admin role, but same error for both :(