Error: could not download chart: failed to authorize

[lionelmace]

I face the following issue when trying to deploy a cloud logs Agent on my cluster using Terraform in Hashicorp Terraform Cloud:

Error: could not download chart: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://icr.io/oauth/token?scope=repository%3Aibm%2Fobserve%2Flogs-agent-helm%3Apull&service=registry: 401 Unauthorized
with module.logs_agent_module.helm_release.logs_agent
on .terraform/modules/logs_agent_module/modules/logs-agent/main.tf line 40, in resource "helm_release" "logs_agent":
resource "helm_release" "logs_agent" {

I have the following code

provider "helm" {
  alias = "logs"
  kubernetes {
    host                   = data.ibm_container_cluster_config.roks_cluster_config.host
    token                  = data.ibm_container_cluster_config.roks_cluster_config.token
    cluster_ca_certificate = data.ibm_container_cluster_config.roks_cluster_config.ca_certificate
  }
  registry {
    url      = "oci://icr.io/ibm/observe/logs-agent-helm"
    username = "iamapikey"
    password = var.ibmcloud_api_key
  }
}

module "iam_service_id" {
  source                          = "terraform-ibm-modules/iam-service-id/ibm"
  # version                         = "1.2.0"
  iam_service_id_name             = format("%s-%s", local.basename, "service-id")
  iam_service_id_description      = "Logs Agent service id"
  iam_service_id_apikey_provision = true
  iam_service_policies = {
    logs = {
      roles = ["Sender"]
      resources = [{
        service = "logs"
      }]
    }
  }
}

data "ibm_container_cluster_config" "cluster_config" {
  cluster_name_id   = ibm_container_vpc_cluster.roks_cluster.id
  resource_group_id = ibm_resource_group.group.id
}

# Sleep to allow RBAC sync on cluster
resource "time_sleep" "wait_operators" {
  depends_on      = [data.ibm_container_cluster_config.cluster_config]
  create_duration = "45s"
}

module "logs_agent_module" {
  source = "terraform-ibm-modules/observability-agents/ibm//modules/logs-agent"
  cluster_id = ibm_container_vpc_cluster.roks_cluster.id
  cluster_resource_group_id = ibm_resource_group.group.id
  logs_agent_iam_mode    = "IAMAPIKey"
  logs_agent_iam_api_key = module.iam_service_id.service_id_apikey
  cloud_logs_ingress_endpoint = ibm_resource_instance.logs_instance.extensions.external_ingress_private
  cloud_logs_ingress_port     = 443
}

I'm able to login the registry

helm registry login icr.io -u iamapikey -p DNJhuyOn0ld_-cjicJXXXXXXXXXXXXXXX
WARNING: Using --password via the CLI is insecure. Use --password-stdin.
Login Succeeded

[ocofaigh]

Can you confirm if this is only an issue with Hashicorp Terraform Cloud? Or same happens in Schematics?

[lionelmace]

I faced the issue because I have two providers helm and I use alias

provider "helm" {
  alias = "logs"

How can I pass the provider to the module logs-agent ?

[ocofaigh]

@lionelmace To get the terraform-ibm-observability-agents module to use your alias helm provider (which will have the authentication details in it) do the following:

module "logs_agent_module" {
  providers = {
    helm = helm.logs
  }
  source = "terraform-ibm-modules/observability-agents/ibm//modules/logs-agent"
  cluster_id = ibm_container_vpc_cluster.roks_cluster.id
  cluster_resource_group_id = ibm_resource_group.group.id
  logs_agent_iam_mode    = "IAMAPIKey"
  logs_agent_iam_api_key = module.iam_service_id.service_id_apikey
  cloud_logs_ingress_endpoint = ibm_resource_instance.logs_instance.extensions.external_ingress_private
  cloud_logs_ingress_port     = 443
}    

[ocofaigh]

Closing - feel free to re-open if needed