Role sharing policy 403s #265
Description
Hi,
I've created a few rolesharingpolicies.iam.hsdp.crossplane.io, and creation worked correctly, but after some time without touching it or touching the role involved (at least not that I am aware of, not via IaC 😄) , the resource starts failing reconciliation with 403 errors, like:
Warning CannotObserveExternalResource 34s (x40 over 4h4m) managed/iam.hsdp.crossplane.io/v1alpha1, kind=rolesharingpolicy failed to observe the resource:
[{0 retry 9 due to HTTP 403:
GET /authorize/identity/Role/4c9b14b4-dfd0-4b4c-9222-5931abf736b3/$list-sharing-policies?targetOrganizationId=3519090a-5b02-4706-9c71-72fb0a863d45: StatusCode 403,
Body: {"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"Forbidden","details":{"coding":{"system":"extension","code":"10302"},
"text":"Resource owner denied access to the request."}}]} []}]
My assumption is that that role (id 4c9b14b4-dfd0-4b4c-9222-5931abf736b3) does not exist anymore (got recreated for some reason) and the id changed, then the sharing policy fails. What I noticed while testing in Bruno (Postman), is that the HSDP IAM API returns 403 for role ids that don't exist in the {{Identity.Manager.BaseURL}}/identity/Role/{{Role.GUID}} endpoint. 🫠
As soon as I delete the sharing policy, it gets recreated and works again. The role is referenced via roleIdSelector with matchLabels with policy.resolution: required and policy.resolve: always
The roles are also managed via Crossplane.
Any ideas?
hsdp provider version v0.70.0