Upgrading Terraform HCP provider to version 0.45 breaks authentication

Avatar
Paul Boekschoten
  • Updated

Problem

After upgrading the HashiCorp Cloud Platform (HCP) provider to version 0.45.0 or higher, you may encounter an authentication error during Terraform operations.

When using HCP provider version 0.45.0, the error output may appear similar to the following.

Error: unable to fetch organization list: could not complete request: please ensure your HCP_API_HOST, HCP_CLIENT_ID, and HCP_CLIENT_SECRET are correct
│ 
│ with provider["registry.terraform.io/hashicorp/hcp"].pro,
│ on providers.tf line 94, in provider "hcp":
│ 94: provider "hcp" {

Error: unable to get project from credentials
│ 
│ with provider["registry.terraform.io/hashicorp/hcp"].pro,
│ on providers.tf line 94, in provider "hcp":
│ 94: provider "hcp" {

When using HCP provider version 0.64.0 or higher, the error message may include a Forbidden status.

│ Error:
│ unable to fetch organization list:
│ Get
│ "https://api.cloud.hashicorp.com:443/resource-manager/2019-12-10/org
│ anizations":
│ Post "https://auth.idp.hashicorp.com/oauth2/token": Forbidden
│ 
│ with provider["registry.terraform.io/hashicorp/hcp"].pro,
│ on main_hcp_issue.tf line 35, in provider "hcp":
│ 35: provider "hcp" {

│ Error: unable to get project from credentials
│ 
│ with provider["registry.terraform.io/hashicorp/hcp"].pro,
│ on main_hcp_issue.tf line 35, in provider "hcp":
│ 35: provider "hcp" {

Cause

This error typically occurs when a proxy or firewall in your network environment blocks requests to the HCP authentication endpoint, auth.idp.hashicorp.com. The authentication URL was updated in version 0.45.0 of the provider, and network rules that allowed the previous URL may not permit access to the new one.

Solutions

Solution 1: Whitelist the New HCP Authentication Endpoint

Check your proxy and firewall configurations to ensure that outbound connections to auth.idp.hashicorp.com on port 443 are permitted. You must add this URL to your network's allowlist to resolve the authentication failure.

Additional Information

The underlying hcp-sdk-go library changed the authentication URL from auth.hashicorp.com to auth.idp.hashicorp.com in version 0.22.0. This change was incorporated into the HCP provider starting with version 0.45.0.

Articles in this section

See more

Related articles