API Authentication -> oauth2: cannot fetch token: 403 Forbidden

[carnei-ro]

Terraform Version and Provider Version

Terraform version: v1.6.0
HCP provider version: v0.72.1

Affected Resource(s)

• hcp_vault_secrets_secret
• hcp_vault_secrets_app

any vault_secrets resource to be honest ; I'm not sure if I am reaching some rate-limiting that is returning me 403 instead of 429;

Output

│ Error: unable to fetch project "afaa2972-c2c7-445c-be4d-9f8b75b3e634": Get "https://api.cloud.hashicorp.com:443/resource-manager/2019-12-10/projects/afaa2972-c2c7-445c-be4d-9f8b75b3e634": oauth2: cannot fetch token: 403 Forbidden
│ Response: <!DOCTYPE html>
│ <html>
│ 
│ <head>
│     <meta charset="utf-8">
│     <meta name="viewport" content="width=device-width, initial-scale=1.0">
│     <link rel="stylesheet" href="https://fonts.googleapis.com/icon?family=Material+Icons">
│     <title>Forbidden</title>
│     <style>
│         @font-face {
│             font-family: "Stabil Grotesk";
╵
INFO[0101] Encountered an error eligible for retrying. Sleeping 15s before retrying. 
ERRO[0116] 1 error occurred:
        * Exhausted retries (5) for command terraform plan
 
ERRO[0116] Unable to determine underlying exit code, so Terragrunt will exit with error code 1 

[AnPucel]

Hi there! Sorry you're running into this. I have a couple of follow up questions:

• How are you authenticating? Organization level service principal, project level service principal, etc?
• How does the configuration of your top level HCP look? Are you using any environment variables?

[AnPucel]

Hi! For clarification, I'm curious what attributes you're using at your top level configuration

E.g. project_id, client_id, client_secret or if you're passing them as env vars?

[carnei-ro]

oh, https://github.com/hashicorp deleted a comment from [carnei-ro](https://github.com/carnei-ro) [4 minutes ago](https://github.com/hashicorp/terraform-provider-hcp/issues/624#event-10578762048)

• How are you authenticating? Organization level service principal
• I have a provider.tf:

provider "hcp" {
  project_id    = "afaa..."
  client_id     = "<some value>"
  client_secret = "<anoter value>"
}

[carnei-ro]

Here is my repo (I'm using terragrunt);

If you want to play, all you need to do is change the value of the client_id and client_secret here;

Then go to https://github.com/carnei-ro/hashicorp-cloud-live/tree/main/projects/carneiro/vault-secrets/delete-me and run terragrunt run-all apply --terragrunt-non-interactive

[AnPucel]

@carnei-ro It may be a good idea to rotate your service principal credentials at this point in time even though the comment has been deleted.

[carnei-ro]

@AnPucel I did not post the real ones (only real value is the project_id afaa2972-c2c7-445c-be4d-9f8b75b3e634)

[AnPucel]

Perfect! Just being overly cautious in case.