Skip to content

Terraform deployment denied when Service ID API key (Account A) assumes Trusted Profile (Account B) to create COS bucket (Account B)Β #6693

New issue
New issue
Open
Open
Terraform deployment denied when Service ID API key (Account A) assumes Trusted Profile (Account B) to create COS bucket (Account B)#6693
Labels
service/Object StorageIssues related to Cloud Object Storageservice/Resource ManagementIssues related to Resource Manager or Resource controller Issues
@daniccs8

Description

@daniccs8
daniccs8
opened on Mar 2, 2026

Community Note

  • Please vote on this issue by adding a πŸ‘ reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.14.4

Affected Resource(s)

ibm_cos_bucket

Terraform Configuration Files

terraform {
  required_providers {
    ibm = {
      source = "IBM-Cloud/ibm"
      version = "1.89.0"
    }
  }
}

provider "ibm" {
  alias        = "logging"
  ibmcloud_api_key = <$IC_API_KEY> ## Service ID api key Account A
  iam_profile_id = <TP-id> ## TP in Account B, assumed by Service id Account A
}

## COS instance created successfully
resource "ibm_resource_instance" "cos_instance" {
  name              = var.cos_instance_name
  service           = "cloud-object-storage"
  plan              = var.plan
  location          = "global"
  resource_group_id = var.resource_group_id
}

## COS Bucket AccessDenied (403)
resource "ibm_cos_bucket" "data_bucket" {
  bucket_name          = var.cos_bucket_data_name
  resource_instance_id = ibm_resource_instance.cos_instance.id
  region_location      = var.region
  storage_class        = "standard"
}

Debug Output

Error: AccessDenied: Access Denied
13:32:36 β”‚ status code: 403, request id: , host id:
13:32:36 β”‚
13:32:36 β”‚ with module.hub_logs.ibm_cos_bucket.data_bucket,
13:32:36 β”‚ on Logs/main.tf line 28, in resource "ibm_cos_bucket" "data_bucket":
13:32:36 β”‚ 28: resource "ibm_cos_bucket" "data_bucket" {
13:32:36 β”‚
13:32:36 β”‚ ---
13:32:36 β”‚ id: terraform-d2853781
13:32:36 β”‚ summary: "AccessDenied: Access Denied\n\tstatus code: 403, request id:
13:32:36 β”‚ ,
13:32:36 β”‚ host id: "
13:32:36 β”‚ severity: error
13:32:36 β”‚ resource: ibm_cos_bucket
13:32:36 β”‚ operation: create
13:32:36 β”‚ component:
13:32:36 β”‚ name: github.com/IBM-Cloud/terraform-provider-ibm

Expected Behavior

COS Bucket created in account B when authentication is Service ID API key (Account A) assumes Trusted Profile (Account B)

Actual Behavior

COS Bucket in account B is not created due AccessDenied error

Steps to Reproduce

  • Create Service ID + Apikey in Account A
  • Create a Trusted Profile in Account B, add to trust relationship the service id already created in previous step
  • Setup Terraform provider in order the apikey assumes the TP
  • Setup terraform to deploy COS instance
  • Setup terraform to deploy COS bucket
  • terraform apply

Important Factoids

COS Bucket creation successfully via IBM cloud cli/api/UI when authentication is Service ID API key (Account A) assumes Trusted Profile (Account B). However, it fails via Terraform ibm cloud provider.
It is not due to a missing TP access policy.

Metadata

Metadata

Assignees

No one assigned

    Labels

    service/Object StorageIssues related to Cloud Object Storageservice/Resource ManagementIssues related to Resource Manager or Resource controller Issues

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions