We’re experiencing a frustrating issue with our automated deployment pipeline for Infor CloudSuite travel management module. The Jenkins pipeline runs terraform plan successfully and shows all the expected changes, but consistently fails when it reaches the terraform apply step with permission denied errors.
The failure happens specifically when trying to provision travel booking service resources. We’ve verified IAM roles multiple times and the service account has the necessary permissions according to the documentation. The same service account works fine for other CloudSuite modules we deploy.
Error snippet from Jenkins console:
Error: Error creating travel service: Permission denied
at terraform-provider-infor.CreateTravelService
Status Code: 403
This is blocking our ability to deploy travel booking updates to production. Has anyone encountered similar issues with Terraform automation in ICS 2021?
This sounds like a token scope issue. When Jenkins runs Terraform, it needs to request tokens with the correct OAuth scopes. For travel management in ICS 2021, you need to explicitly include ‘travel.booking.write’ and ‘travel.service.admin’ scopes in your authentication flow. Check your Jenkins credentials configuration and make sure these scopes are included in the token request. The plan step might work because it only needs read scopes.
Just to add some context here - we had a similar issue and discovered that ICS 2021 has different scope requirements compared to later versions. The travel module specifically requires explicit scope declarations because it handles PII and payment data. Additionally, check your Jenkins pipeline for token caching. If Jenkins is reusing cached tokens from previous runs, they might not have the updated scopes even after you modify the configuration. Clear the credential cache or rotate the service account key to force fresh token generation.
Thanks for the suggestion. I checked and the service account does have TravelServiceAdmin assigned. I also tried running the terraform apply manually using my admin credentials and it worked. So it seems like something specific to how Jenkins authenticates. Could this be related to token expiration or scope limitations in the CI/CD context?