Genesys Cloud - Developer Community!

 View Only

Sign Up

  • 1.  Cannot retrieve oauth client secret

    Posted 09-02-2025 12:33

    I am trying to save a clientId and clientsecret. Here is my tf code which seems to be set up right per Genesys' documentation but the value for the id and secret keep coming back null.

    { "client-dev": "{\"client_id\":null,\"client_secret\":null,\"version\":\"5\"}" }

    resource "genesyscloud_oauth_client" "client1" {
      name                          = "client1"
      description                   = "TF managed"
      access_token_validity_seconds = 86400
      authorized_grant_type         = "CLIENT-CREDENTIALS"

      roles {
        role_id     = data.genesyscloud_auth_role.admin.id
        division_id = "*"
      }
    }

    output "client_id" {
      value       = genesyscloud_oauth_client.client1.client_id
      description = "new client id"
    }

    module "client_oauth_creds" {
      source  = "xxx"
      version = "~> 1.0"

      # name of the secret in a hierarhcy path based standard format
      name = "/secret-lair/classic/terraform-genesyscloud/production/client-dev"

      content_wo = jsonencode({
        "client_id"     = genesyscloud_oauth_client.client1.client_id
        "client_secret" = genesyscloud_oauth_client.client1.client_secret
        "version"       = "6"
      })

      # update this when you want to actually update content in the secret object
      # so that terraform doesn't store the secret in state.
      content_wo_version = 6
      depends_on = [
        genesyscloud_oauth_client.client1
      ]
    }

    I use 1.68.3 provider version


    #CXasCode

    ------------------------------
    Ihor Hordiienko
    Genesys Engineer
    ------------------------------


  • 2.  RE: Cannot retrieve oauth client secret

    Posted 09-03-2025 09:29

    Hi @Ihor Hordiienko

    You can follow the blog here https://developer.genesys.cloud/blog/oath-client-secret-CXasCode/ for accessing clientid and clientsecret via cxAsCode.

    we have introduced new attribute directory_client_secret in genesyscloud_oauth_client resource which you can use to dump your client credential information. More details in the blog for reference.

    Thanks

    Hemanth



    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


  • 3.  RE: Cannot retrieve oauth client secret

    Posted 09-03-2025 11:37

    Hi Hemanth,

    the attribute directory_client_secret just puts a secret into a file on a disk. What I am trying to do is to save it into a proper secret manager.



    ------------------------------
    Ihor Hordiienko
    Genesys Engineer
    ------------------------------

    Original Message


  • 4.  RE: Cannot retrieve oauth client secret

    Posted 09-03-2025 12:09

    Hi @Ihor Hordiienko

    The client_id and client_secret attributes are computed values that are only available during resource creation and client_secret are not persisted in the Terraform state to prevent sensitive data exposure
    We can still internally reference them in other resources of provider (genesyscloud_integration_credential), thanks to an internal cache we are using for referring the data. These attributes are like placeholders.

    To save the OAuth client credentials to a secret manager, you have a few options:
    • Use directory_client_secret attribute
                     This attribute allows you to save the secret to a local file, which you can try  reading and store in your secret manager.

    Example:

    resource "genesyscloud_oauth_client" "client1" {
      name                          = "client1"
      description                   = "TF managed"
      access_token_validity_seconds = 86400
      authorized_grant_type         = "CLIENT-CREDENTIALS"
      directory_client_secret       = "${path.module}/temp_secrets"  # Local directory to save secret
     
      roles {
        role_id     = data.genesyscloud_auth_role.admin.id
        division_id = "*"
      }
    }
     
    # Read the secret from the file and store in your secret manager
    locals {
      secret_files = fileset("${path.module}/temp_secrets", "*")
      client_id    = tolist(local.secret_files)[0]  # The filename is the client_id
      secret_data  = file("${path.module}/temp_secrets/${local.client_id}")
    }
     
    module "client_oauth_creds" {
      source  = "xxx"
      version = "~> 1.0"
     
      name = "/secret-lair/classic/terraform-genesyscloud/production/client-dev"
     
      content_wo = jsonencode({
        "client_id"     = local.client_id
        "client_secret" = local.secret_data
        "version"       = "6"
      })
     
      content_wo_version = 6
      depends_on = [
        genesyscloud_oauth_client.client1
      ]
    }


    Hope this helps

    Thanks

    Hemanth



    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


  • 5.  RE: Cannot retrieve oauth client secret

    Posted 09-04-2025 12:05

    Hi Hemanth!

    The suggested directory_client_secret approach is not workable in our environment. We use terraform enterprise, so we can't have file preserve state across runs.

    More importantly, Terraform already has a mechanism for handling one-time values at resource creation: marking them as sensitive. So why the provider doesn't simply expose client_id and client_secret as sensitive outputs during the initial creation run. That would allow us to consume them in other Terraform resources (or export them to a proper secret manager) without needing to persist files locally. This is exactly what Terraform's sensitive feature is intended for.



    ------------------------------
    Ihor Hordiienko
    Genesys Engineer
    ------------------------------

    Original Message


  • 6.  RE: Cannot retrieve oauth client secret

    Posted 09-05-2025 10:35

    Hi Ihor,

    Thanks for posting this and sharing your perspective. I reviewed your points, and I wanted to provide some context on our approach.

    We originally avoided using the sensitive flag because, while it prevents values from being printed in logs or outputs, it doesn't fully protect secrets from being stored in plain text. That said, I know the Tofu project has been working on encrypted secrets, so some of this may have evolved recently.

    I spoke with Hemanth today, and we're exploring how we can add a property to the Terraform provider to better handle secrets. Our current suggested direction is to support this directly at the provider level. While I don't have a firm timeline yet, this is a high-priority item for us since several customers rely on Terraform Enterprise. I'm not sure if they run in a similar manner to your setup, but I completely agree this is something we need to address.

    Hemanth is actively looking into it now, and I'm also working to ensure we have a complete solution in place before any breaking changes occur.

    Thanks again for raising this-your feedback is really helpful.

    Best,
    John



    ------------------------------
    John Carnell
    Director, Developer Engagement
    ------------------------------

    Original Message


  • 7.  RE: Cannot retrieve oauth client secret

    Posted 09-12-2025 09:41
    Edited by Venkata Hemanth Dogiparthi 09-12-2025 09:41

    hi @Ihor Hordiienko

    We have added a new attribute to expose the secret which is configurable. Can you pull in latest terraform release and use this attribute in your resource definition to see if this works for you.

    resource "genesyscloud_oauth_client" "client1" {
      name                          = "client1"
      description                   = "TF managed"
      access_token_validity_seconds = 86400
      authorized_grant_type         = "CLIENT-CREDENTIALS"
      directory_client_secret       = "${path.module}/temp_secrets"  # Local directory to save secret
     expose_client_secret = true
      roles {
        role_id     = data.genesyscloud_auth_role.admin.id
        division_id = "*"
      }
    }





    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


  • 8.  RE: Cannot retrieve oauth client secret

    Posted 5 days ago

    Hi Hemanth,

    I'm following up on Ihor's work and trying to put this part of our terraform code into a working state.

    According to Genesys documentation 

    • client_secret (String, Sensitive) Place holder that can be referred in integration_credential fields. Sensitive info. Only populated when expose_client_secret is true.

    1. As I understand it, if we set expose_client_secret = true, we should be able to export the client_secret to another object. Is my understanding correct? (we are passing it to a custom module to save the secret in AWS Secret Manager). 

    resource "genesyscloud_oauth_client" "gains_service" {
name = "name"
access_token_validity_seconds = 86400
authorized_grant_type = "CLIENT-CREDENTIALS"
expose_client_secret = true
}
    we are properly getting 
    genesyscloud_oauth_client.gains_service.client_id
    but the secret always appears empty.
    genesyscloud_oauth_client.gains_service.client_secret
    2. Can you please comment on how it is supposed to work?


    ------------------------------
    Borys Spiridonov
    .
    ------------------------------

    Original Message


  • 9.  RE: Cannot retrieve oauth client secret

    Posted 2 days ago

    Hi @Borys Spiridonov

    can you run this on the latest provider version. You should be able to expose the secret and available in tfstate and as resource data.

    Thanks



    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


Related Content