Terraform kubernetes_manifest: forbidden: User "system:anonymous" cannot get path "/apis"

Question

Getting the following error with Terraform

forbidden: User "system:anonymous" cannot get path "/apis"

In context,

│ Error: Invalid configuration for API client
│ 
│   with acme.dev_env_02.kubernetes_manifest.grafana-agent,
│   on modules/acme-02/prometheus.tf line 1, in resource "kubernetes_manifest" "grafana-agent":
│    1: resource "kubernetes_manifest" "grafana-agent" {
│ 
│ forbidden: User "system:anonymous" cannot get path "/apis"

I'm also getting this error with,

resource "kubernetes_manifest" "seccomp" {

score 1 · Answer 1 · answered Apr 04 '23 at 16:11

The error means that you are not authenticating to the K8s cluster for some reason.

Take a look here:

https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#example-usage

For better troubleshooting, I recommend enabling auditing on the K8s cluster, so you can see what went wrong.

https://kubernetes.io/docs/tasks/debug/debug-cluster/audit/

Evan Carroll · Accepted Answer · 2023-04-05T15:43:53.197

If you read the docs for the resource kubernetes_manifest you'll see it says the following,

This resource requires API access during planning time. This means the cluster has to be accessible at plan time and thus cannot be created in the same apply operation. We recommend only using this resource for custom resources or resources not yet fully supported by the provider.

This was my problem. You can't create the resource in the same terraform files that use the kubernetes_manifest on. And the reason why, for me, only I was getting this error is because the shared state was in GitLab and it wasn't being pulled down.

Terraform kubernetes_manifest: forbidden: User "system:anonymous" cannot get path "/apis"

2 Answers2