Terraform NGFW provider failing to get token for CloudFirewallAdmin

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Terraform NGFW provider failing to get token for CloudFirewallAdmin

L2 Linker



I am trialling out the TF provider in this repo and I have successfully built the provider locally. I am able to configure it as per the settings mentioned in the doc. To give a brief overview, I have

  1. Subscribed to Palo NGFW in AWS Marketplace
  2. Added our sandbox AWS Account to Palo NGFW and run the Cloudformation template which creates cross-account IAM roles.
  3. Enabled Programmatic access and created the IAM role mentioned in the docs to grant access to API Gateway. I have also tagged the IAM role with 

              Key=NGFWaasRole, Value=CloudFirewallAdmin

              Key=NGFWaasRole, Value=CloudRulestackAdmin

    tags as mentioned in the other ticket
  4.  I have granted sts:AssumeRole permission so that any authenticated user in my sandbox account can assume the above role.
  5. After setting up all of this, I supply the following config values to the provider

                   host: "api.us-east-1.aws.cloudngfw.paloaltonetworks.com"

                   region: "us-east-1"

                   arn: "<The arn of the API Gateway IAM Role I setup in step 3>"


The provider initialises successfully when I run terraform init, however when I run terraform plan, it errors as per the screenshot below



I can only speculate (since I am not familiar with golang, but the code for ngfw client is here ) that the client is failing to execute steps 8 and 9 mentioned here 


Another thing to note is that the tags mentioned in step 5 of the above article are different from the ones you have mentioned in the linked ticket above. Is there any reason for this difference? Also, the Github repo linked in step 6 has a broken link, so I cannot view the CFT examples. 


Any help would be appreciated since I am now effectively blocked in automating the NGFW firewall creation.









L5 Sessionator

Run terraform apply with logging enabled, it might have more information:

TF_LOG=debug terraform apply

I have been told that the docs are wrong with regards to the tags needed for the role created in AWS.  Change the tags as follows:


  • CloudFirewallAdmin > CloudNGFWFirewallAdmin
  • CloudRulestackAdmin > CloudNGFWRulestackAdmin

Thanks @gfreeman 

I made changes to the tags, and it made no difference. After switching on TF_LOG, I got an error message which might be of interest to you.


-----------------------------------------------------: timestamp=2022-04-28T21:05:56.317+0100
2022-04-28T21:05:56.381+0100 [INFO]  provider.terraform-provider-cloudngfwaws_v1.0.0: 2022/04/28 21:05:56 [DEBUG] CloudNgfwAws API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 251
Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Thu, 28 Apr 2022 20:05:56 GMT
X-Amz-Apigw-Id: <Redacted>
X-Amzn-Errortype: AccessDeniedException
X-Amzn-Requestid: <Redacted>
X-Amzn-Trace-Id: <Redacted>

 "message": "User: arn:aws:sts::<Redacted>:assumed-role/palo-ngfw-admin-role/sdk_session is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********1261:63kpcf9k68/prod/GET/v1/mgmt/tokens/cloudrulestackadmin"


The palo-ngfw-admin-role is setup as such


    "Version": "2012-10-17",
    "Statement": [ 
          "Effect": "Allow",
          "Action": [
          "Resource": [


The assume role policy for assuming the role above is set up as such


    "Version": "2012-10-17",
    "Statement": [
        "Sid": "AssumeTaggedRole",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:root"
        "Condition": {
            "StringEquals": {"iam:ResourceTag/CloudFirewallAdmin": "CloudNGFWFirewallAdmin"}


The IAM role is set up as 


resource "aws_iam_role" "palo-ngfw-admin-role" {
  name               = "palo-ngfw-admin-role"
  assume_role_policy = data.template_file.assume-role-policy.rendered
  tags = {
    "CloudFirewallAdmin"  = "CloudNGFWFirewallAdmin",
    "CloudRulestackAdmin" = "CloudNGFWRulestackAdmin"

resource "aws_iam_policy" "palo-nfgw-admin-policy" {
  name   = "palo-nfgw-admin-policy"
  policy = data.template_file.palo-ngfw-admin-policy.rendered
  tags = {
    "Name" = "palo-nfgw-admin-policy"

resource "aws_iam_role_policy_attachment" "palo-nfgw-admin-policy-to-palo-ngfw-admin-role" {
  role       = aws_iam_role.palo-ngfw-admin-role.name
  policy_arn = aws_iam_policy.palo-nfgw-admin-policy.arn


The provider config is setup as follows


provider "cloudngfwaws" {
  json_config_file = "./cloudngfwaws_config.json"

    "host": "api.us-east-1.aws.cloudngfw.paloaltonetworks.com",
    "region": "us-east-1",
    "arn": "arn:aws:iam::<redacted>:role/palo-ngfw-admin-role"


After all this set up, the IAM user that I use to login to our sandbox account assumes the palo-ngfw-admin-role and tries to execute the api gateway which subsequently fails. Any ideas please?




Looking at that response, it seems like something is misconfigured with your AWS setup.


Found some other documentation and this does actually have the updated role tags that I mentioned above, so maybe there's something in here that's the answer..?



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!