Getting access denied error with the Custom Domain using Terraform

Problem Statement

I can run Terraform using the canonical domain but fail with access denied using Custom Domain.

Example: this is working in terraform using canonical domain


provider "auth0" {

domain = "[https://my-domain.us.auth0.com"](https://my-domain.us.auth0.com/)"

client_id = "<client-id>"

client_secret = "<client-secret>"

debug = "<debug>"

}

Example: this is not working in terraform using Custom Domain


provider "auth0" {

domain = "[https://my-domain.com"](https://my-domain.com/)"

client_id = "<client-id>"

client_secret = "<client-secret>"

debug = "<debug>"

}


Error: request failed: Get "[https://my-domain.com/api/v2/actions/actions/394493dd-7d81-402b-83c4-50a17ff41ba5":](https://my-domain.com/api/v2/actions/actions/394493dd-7d81-402b-83c4-50a17ff41ba5%22:) oauth2: cannot fetch token: 403 Forbidden

│ Response: {"error":"access_denied","error_description":"Service not enabled within domain: [https://my-domain.com/api/v2/"}](https://my-domain.com/api/v2/%22%7D)

Solution

The Auth0 terraform provider supports the Custom Domain for the management API. However, while initializing the provider, you need to pass the audience parameter set to your canonical domain. Here I assume your tenant is in the US-3 region, so your tenant’s canonical domain is a sub-domain of us.auth0.com.

E.g.


provider "auth0" {

domain = "[https://my-domain.com"](https://my-domain.com/)"

audience = "[https://my-domain.us.auth0.com/api/v2/"](https://my-domain.us.auth0.com/api/v2/)"

client_id = "<client-id>"

client_secret = "<client-secret>"

debug = "<debug>"

}

The optional audience parameter is documented on the following link:

https://registry.terraform.io/providers/auth0/auth0/latest/docs#optional

Reference

https://registry.terraform.io/namespaces/auth0