Genesys Cloud - Developer Community!

 View Only

Sign Up

  • 1.  Cannot retrieve oauth client secret

    Posted 09-02-2025 12:33

    I am trying to save a clientId and clientsecret. Here is my tf code which seems to be set up right per Genesys' documentation but the value for the id and secret keep coming back null.

    { "client-dev": "{\"client_id\":null,\"client_secret\":null,\"version\":\"5\"}" }

    resource "genesyscloud_oauth_client" "client1" {
      name                          = "client1"
      description                   = "TF managed"
      access_token_validity_seconds = 86400
      authorized_grant_type         = "CLIENT-CREDENTIALS"

      roles {
        role_id     = data.genesyscloud_auth_role.admin.id
        division_id = "*"
      }
    }

    output "client_id" {
      value       = genesyscloud_oauth_client.client1.client_id
      description = "new client id"
    }

    module "client_oauth_creds" {
      source  = "xxx"
      version = "~> 1.0"

      # name of the secret in a hierarhcy path based standard format
      name = "/secret-lair/classic/terraform-genesyscloud/production/client-dev"

      content_wo = jsonencode({
        "client_id"     = genesyscloud_oauth_client.client1.client_id
        "client_secret" = genesyscloud_oauth_client.client1.client_secret
        "version"       = "6"
      })

      # update this when you want to actually update content in the secret object
      # so that terraform doesn't store the secret in state.
      content_wo_version = 6
      depends_on = [
        genesyscloud_oauth_client.client1
      ]
    }

    I use 1.68.3 provider version


    #CXasCode

    ------------------------------
    Ihor Hordiienko
    Genesys Engineer
    ------------------------------


  • 2.  RE: Cannot retrieve oauth client secret

    Posted 09-03-2025 09:29

    Hi @Ihor Hordiienko

    You can follow the blog here https://developer.genesys.cloud/blog/oath-client-secret-CXasCode/ for accessing clientid and clientsecret via cxAsCode.

    we have introduced new attribute directory_client_secret in genesyscloud_oauth_client resource which you can use to dump your client credential information. More details in the blog for reference.

    Thanks

    Hemanth



    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


  • 3.  RE: Cannot retrieve oauth client secret

    Posted 09-03-2025 11:37

    Hi Hemanth,

    the attribute directory_client_secret just puts a secret into a file on a disk. What I am trying to do is to save it into a proper secret manager.



    ------------------------------
    Ihor Hordiienko
    Genesys Engineer
    ------------------------------

    Original Message


  • 4.  RE: Cannot retrieve oauth client secret

    Posted 09-03-2025 12:09

    Hi @Ihor Hordiienko

    The client_id and client_secret attributes are computed values that are only available during resource creation and client_secret are not persisted in the Terraform state to prevent sensitive data exposure
    We can still internally reference them in other resources of provider (genesyscloud_integration_credential), thanks to an internal cache we are using for referring the data. These attributes are like placeholders.

    To save the OAuth client credentials to a secret manager, you have a few options:
    • Use directory_client_secret attribute
                     This attribute allows you to save the secret to a local file, which you can try  reading and store in your secret manager.

    Example:

    resource "genesyscloud_oauth_client" "client1" {
      name                          = "client1"
      description                   = "TF managed"
      access_token_validity_seconds = 86400
      authorized_grant_type         = "CLIENT-CREDENTIALS"
      directory_client_secret       = "${path.module}/temp_secrets"  # Local directory to save secret
     
      roles {
        role_id     = data.genesyscloud_auth_role.admin.id
        division_id = "*"
      }
    }
     
    # Read the secret from the file and store in your secret manager
    locals {
      secret_files = fileset("${path.module}/temp_secrets", "*")
      client_id    = tolist(local.secret_files)[0]  # The filename is the client_id
      secret_data  = file("${path.module}/temp_secrets/${local.client_id}")
    }
     
    module "client_oauth_creds" {
      source  = "xxx"
      version = "~> 1.0"
     
      name = "/secret-lair/classic/terraform-genesyscloud/production/client-dev"
     
      content_wo = jsonencode({
        "client_id"     = local.client_id
        "client_secret" = local.secret_data
        "version"       = "6"
      })
     
      content_wo_version = 6
      depends_on = [
        genesyscloud_oauth_client.client1
      ]
    }


    Hope this helps

    Thanks

    Hemanth



    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


  • 5.  RE: Cannot retrieve oauth client secret

    Posted 09-04-2025 12:05

    Hi Hemanth!

    The suggested directory_client_secret approach is not workable in our environment. We use terraform enterprise, so we can't have file preserve state across runs.

    More importantly, Terraform already has a mechanism for handling one-time values at resource creation: marking them as sensitive. So why the provider doesn't simply expose client_id and client_secret as sensitive outputs during the initial creation run. That would allow us to consume them in other Terraform resources (or export them to a proper secret manager) without needing to persist files locally. This is exactly what Terraform's sensitive feature is intended for.



    ------------------------------
    Ihor Hordiienko
    Genesys Engineer
    ------------------------------

    Original Message


  • 6.  RE: Cannot retrieve oauth client secret

    Posted 09-05-2025 10:35

    Hi Ihor,

    Thanks for posting this and sharing your perspective. I reviewed your points, and I wanted to provide some context on our approach.

    We originally avoided using the sensitive flag because, while it prevents values from being printed in logs or outputs, it doesn't fully protect secrets from being stored in plain text. That said, I know the Tofu project has been working on encrypted secrets, so some of this may have evolved recently.

    I spoke with Hemanth today, and we're exploring how we can add a property to the Terraform provider to better handle secrets. Our current suggested direction is to support this directly at the provider level. While I don't have a firm timeline yet, this is a high-priority item for us since several customers rely on Terraform Enterprise. I'm not sure if they run in a similar manner to your setup, but I completely agree this is something we need to address.

    Hemanth is actively looking into it now, and I'm also working to ensure we have a complete solution in place before any breaking changes occur.

    Thanks again for raising this-your feedback is really helpful.

    Best,
    John



    ------------------------------
    John Carnell
    Director, Developer Engagement
    ------------------------------

    Original Message


  • 7.  RE: Cannot retrieve oauth client secret

    Posted 09-12-2025 09:41
    Edited by Venkata Hemanth Dogiparthi 09-12-2025 09:41

    hi @Ihor Hordiienko

    We have added a new attribute to expose the secret which is configurable. Can you pull in latest terraform release and use this attribute in your resource definition to see if this works for you.

    resource "genesyscloud_oauth_client" "client1" {
      name                          = "client1"
      description                   = "TF managed"
      access_token_validity_seconds = 86400
      authorized_grant_type         = "CLIENT-CREDENTIALS"
      directory_client_secret       = "${path.module}/temp_secrets"  # Local directory to save secret
     expose_client_secret = true
      roles {
        role_id     = data.genesyscloud_auth_role.admin.id
        division_id = "*"
      }
    }





    ------------------------------
    Hemanth Dogiparthi
    Manager, Software Engineering
    ------------------------------

    Original Message


Related Content