Cant use cloudflare_api_token to create r2 token

[fbritoferreira]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

 provider registry.terraform.io/cloudflare/cloudflare v5.15.0

When I use the following variables

   CF_ACCESS_SECRET = cloudflare_api_token.cdn_r2_access.value
    CF_ACCESS_KEY_ID = cloudflare_api_token.cdn_r2_access.id

I get access denied when trying to do simple operations such as upload assets.

Small script to test

import { S3Client, ListBucketsCommand } from "@aws-sdk/client-s3";

const s3 = new S3Client({
  region: "auto",
  endpoint: process.env.CF_ENDPOINT,
  forcePathStyle: true,
  credentials: {
    accessKeyId: process.env.CF_ACCESS_KEY_ID,
    secretAccessKey: process.env.CF_ACCESS_SECRET,
  },
});

try {
  const response = await s3.send(new ListBucketsCommand({}));
  console.log(
    "✓ Credentials work! Buckets:",
    response.Buckets?.map((b) => b.Name)
  );
} catch (error) {
  console.error("✗ Authentication failed:");
  console.error("  Code:", error.Code);
  console.error("  Message:", error.message);
  console.error("  Endpoint:", CF_ENDPOINT);
  console.error("  Access Key:", CF_ACCESS_KEY_ID.slice(0, 8) + "...");
  console.error("  Secret:", CF_ACCESS_SECRET.slice(0, 8) + "...");
  console.error("  Secret Length:", CF_ACCESS_SECRET?.length);
}

Affected resource(s)

cloudflare_api_token

Terraform configuration files

data "cloudflare_api_token_permission_groups_list" "all" {}

locals {
  r2_write_id = [for pg in data.cloudflare_api_token_permission_groups_list.all.result : pg.id if pg.name == "Workers R2 Storage Bucket Write"][0]
  r2_read_id  = [for pg in data.cloudflare_api_token_permission_groups_list.all.result : pg.id if pg.name == "Workers R2 Storage Bucket Read"][0]
}


resource "cloudflare_r2_bucket" "cdn" {
  account_id = var.cloudflare_account_id
  name       = "cdn"
}

resource "cloudflare_api_token" "cdn_r2_access" {
  name = "cdn automated token"

  policies = [
    {
      effect = "allow"

      permission_groups = [
        { id = local.r2_read_id },
        { id = local.r2_write_id }
      ]



      resources = jsonencode({
        "com.cloudflare.edge.r2.bucket.${var.cloudflare_account_id}_default_${cloudflare_r2_bucket.cdn.name}" = "*"
      })
    }
  ]
}

Link to debug output

no errors

Panic output

no errors

Expected output

Credentials should allow upload

Actual output

Access denied 403

Steps to reproduce

1. Use terraform to create the api token
2. Set the environent variables using the outputs from the resource
3. Run the provided typescript script

Additional factoids

I think this resource need a extra ouput for access_key_id and access_key_token

References

No response

[musa-cf]

@Carolx715 Can you took a look at this? I'm unsure if this is an actual bug, or if the docs just need to be more clear. There is a linked PR.