Impossible to create some cloudflare_zero_trust resources due to error "auth.key_not_in_claims (1007)"

[MrTrustor]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.9.8
on linux_amd64

• provider registry.terraform.io/cloudflare/cloudflare v4.44.0

Affected resource(s)

• cloudflare_zero_trust_access_identity_provider
• cloudflare_zero_trust_access_group
• cloudflare_zero_trust_access_application

Terraform configuration files

resource "cloudflare_zero_trust_access_group" "example" {
  account_id = var.cloudflare_account_id
  name       = "example"

  include {
    email = ["[email protected]", "[email protected]"]
  }
}

resource "cloudflare_zero_trust_access_application" "foobar" {
  account_id       = var.cloudflare_account_id
  name             = "foobar"
  domain           = cloudflare_record.foobar.hostname
  type             = "self_hosted"
  session_duration = "12h"
  policies         = ["example"]
}

resource "cloudflare_zero_trust_access_identity_provider" "google_oauth" {
  account_id = var.cloudflare_account_id
  name       = "Google"
  type       = "google"
  config {
    client_id     = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com"
    client_secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
}

Link to debug output

https://gist.github.com/MrTrustor/b7256e9066dbfb2d7317f48ec00a32ba

Panic output

No response

Expected output

I expect to be able to create the 3 resources listed above.

Actual output

The creation of any one of those resources fails with the error message:

failed to create Access Identity Provider: error from makeRequest: auth.key_not_in_claims (1007)

Steps to reproduce

1. Try to create one of the resources listed by running terraform apply
2. Observe that the creation fails

Additional factoids

The Account API Token I'm using with Terraform has the following permissions:

• Account: Cloudflare Tunnel - Edit
• Account: Zero Trust - Edit
• Account: Access: Organizations, Identity Providers, and Groups - Edit
• Account: Access: Apps and Policies - Edit
• Zone: Zone Settings - Edit
• Zone: Zone - Edit
• Zone: SSL and Certificates - Edit
• Zone: DNS - Edit

Someone else seem to be running into the same issue:

• https://www.answeroverflow.com/m/1294129481778466947
• https://community.cloudflare.com/t/cant-create-zero-trust-access-application-using-terraform-opentofu-provider/723941

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[MrTrustor]

It turns out the issue was that I was using a Account API Token. I created a User API Token, with exactly the same permissions, and it worked.
I don't know if that's an expected behavior, but me finding that was basically a stroke of luck.

[jacobbednarz]

can confirm this is due to account owned tokens and that access does not yet fully support it. the team is working on adding support but in the meantime, you'll need to provide user tokens or the API key/email combo. once the team lands support, this will just work without changes on your side.