Problem Statement
I can run Terraform using the canonical domain but fail with access denied using Custom Domain.
Example: this is working in terraform using canonical domain
provider "auth0" {
domain = "[https://my-domain.us.auth0.com"](https://my-domain.us.auth0.com/)"
client_id = "<client-id>"
client_secret = "<client-secret>"
debug = "<debug>"
}
Example: this is not working in terraform using Custom Domain
provider "auth0" {
domain = "[https://my-domain.com"](https://my-domain.com/)"
client_id = "<client-id>"
client_secret = "<client-secret>"
debug = "<debug>"
}
Error: request failed: Get "[https://my-domain.com/api/v2/actions/actions/394493dd-7d81-402b-83c4-50a17ff41ba5":](https://my-domain.com/api/v2/actions/actions/394493dd-7d81-402b-83c4-50a17ff41ba5%22:) oauth2: cannot fetch token: 403 Forbidden
│ Response: {"error":"access_denied","error_description":"Service not enabled within domain: [https://my-domain.com/api/v2/"}](https://my-domain.com/api/v2/%22%7D)
Solution
The Auth0 terraform provider supports the Custom Domain for the management API. However, while initializing the provider, you need to pass the audience parameter set to your canonical domain. Here I assume your tenant is in the US-3 region, so your tenant’s canonical domain is a sub-domain of us.auth0.com.
E.g.
provider "auth0" {
domain = "[https://my-domain.com"](https://my-domain.com/)"
audience = "[https://my-domain.us.auth0.com/api/v2/"](https://my-domain.us.auth0.com/api/v2/)"
client_id = "<client-id>"
client_secret = "<client-secret>"
debug = "<debug>"
}
The optional audience parameter is documented on the following link:
https://registry.terraform.io/providers/auth0/auth0/latest/docs#optional