"No API key specified" error when using Terraform provider

I’m posting this in the “API” category because I don’t see a support category for the terraform provider, but there really should be a category for that on this discuss forum.

I’m trying to use the newrelic terraform provider, and unable to actually “apply”. I’ve whittled it down to this simple .tf file that reproduces the problem:

terraform {
      required_version = "~> 0.14.0"
      required_providers {
        newrelic = {
          source  = "newrelic/newrelic"
          version = "~> 2.9.0"
        }
      }
    }

    provider "aws" {
      region = "us-east-1"
    }

    provider "newrelic" {
      account_id = "my account ID"
      api_key = "NRII-..."
    }

    resource "newrelic_dashboard" "cos_tf_test" {
      title = "Cos test dashboard from Terraform"
      editable = "editable_by_owner"

      widget {
        title = "Sample title"
        visualization = "line_chart"
        row = 1
        column = 1
        nrql = "FROM ... (nrql query here)"

      }
    }

terraform plan works fine, but when I try to apply, I get:

Error: 401 response returned: No API key specified

  on main.tf line 20, in resource "newrelic_dashboard" "cos_tf_test":
  20: resource "newrelic_dashboard" "cos_tf_test" {

I’ve tried this with setting my environment variable NEW_RELIC_API_KEY and omitting the key from the .tf file, as well as with the key in the .tf file, and it fails the same way either way. Anyone know what is going on?

Okay, I figured this out, but there are two issues here that New Relic should fix.

It turns out the 401 response text “No API key specified” is misleading. What it actually meant was that the key I gave was the wrong kind of key. I was on a wild goose chase wondering why terraform wasn’t giving the NR API a key at all, when in fact terraform was supplying a key - the API just didn’t accept that key. So that’s issue #1: Please fix that 401 response message!

Having guessed that, I asked around and learned that until recently the API accepted admin keys but it no longer does. I wondered if they key I was using was an admin key, and if so, whether this might work with a personal API key - and confirm my guess that the 401 text was misleading.

I followed these instructions to get my personal API key:
https://registry.terraform.io/providers/newrelic/newrelic/latest/docs/guides/getting_started

… but that actually doesn’t work! The graphiql GUI returns obfuscated keys, like this:

"key": "NRAK-WQW...",

However, eventually I vaguely remembered that you can get personal API keys from “Account settings” at one.newrelic.com and once I remembered that, I was able to get the key, which made this work!

So that’s issue #2: Please fix the “Getting Started with the New Relic Provider” I linked above, it is just plain wrong. To get your personal API key, you go to Account Settings from the menu at top right on one.newrelic.com.

1 Like

Thank you for reporting this, we’ll take a look at it, and see if we can get it corrected so it’s more clear.

Filed this Github issue for tracking purposes: https://github.com/newrelic/terraform-provider-newrelic/issues/1065

This issue is currently being worked on by our Dev Took Kit Team. :smile:

1 Like

We’ve resolved this issue, hopefully this helps. @cos1 :relaxed:

Thanks for the update! However, it does not look like it has been fixed. This is from just now:

% export NEW_RELIC_API_KEY=invalidkey
% terraform apply
newrelic_dashboard.cos_tf_test: Refreshing state... [id=1589960]

Error: 401 response returned: No API key specified

The 401 from the API still has the misleading message.

Hi @cos1, can you provide the output of terraform -v please?

1 Like

Sure, but I’m puzzled - as far as I can tell, terraform is just passing a message on from the NR API, so why would the terraform or provider version matter here?

Terraform v0.14.2
+ provider registry.terraform.io/hashicorp/aws v3.21.0
+ provider registry.terraform.io/newrelic/newrelic v2.9.0

The Terraform version itself isn’t the issue. It’s the version of our provider. You’re currently on version v2.9.0, however, the fix for the messaging has been released in v2.14.1. You will need to upgrade to your New Relic provider version to v2.14.1 to see the updated error messaging around invalid API keys.

E.g.

terraform {
  required_providers {
    newrelic = {
      source  = "newrelic/newrelic"
      version = "~> 2.14.1"
    }
  }

  //...
}

Here is what the messaging looks like in the latest version:

$ terraform apply 

newrelic_dashboard.cos_tf_test: Creating...

Error: 401 response returned: Invalid credentials provided. Missing API key or an invalid API key was provided.

  on main.tf line 39, in resource "newrelic_dashboard" "cos_tf_test":
  39: resource "newrelic_dashboard" "cos_tf_test" {

Hope this helps resolve the issue for you :slight_smile:

1 Like

Just to confirm, you’re saying that the API returns a 401 with no message, and the terraform provider then adds its own text to the 401 response?

Not quite. The API still returns the same message as you mentioned earlier, but due to the fact that some of our Terraform resources utilize a legacy API (dashboards as an example), we need to interpret things on our end in this case (for the time being).

This will not be the norm as legacy APIs are migrated to our NerdGraph API.

Ahh, so the underlying problem in the API has not been fixed, you’re just papering over it in the terraform provider. Can you get the engineers who maintain the API to fix the real problem, and make the API emit a message that does not lie to the caller?

Thank you @cos1. We appreciate all the research and discussion you have provided on this as it has been quite revealing. Hopefully once legacy APIs are migrated to our NerdGraph API, you will not run into this issue any further.