Buildkite Terraform Provider API 403

Greetings Buildkiters.

I am having a problem with terraform with authenticating to the api url when I do a terraform plan

Here is my setup:

terraform {
  required_providers {
    buildkite = {
      source  = "buildkite/buildkite"
      version = "~> 0.9"

provider "buildkite" {
  organization = "my-team-slug"
  api_token    = "api-token-value"

Then I have a terraform file that defines a pipeline.

On terraform plan, I have issues getting the API to auth.

Buildkite API request failed: GET<MYTEAMSLUG>/pipelines/<PIPELINENAME> (status: 403)

When I take the same token thats defined in the provider, I can successfully hit the api with a curl by passing the auth: bearer $token command.

Even when I set the env var: BUILDKITE_API_TOKEN it still cant auth.

Is this some issue with the state potentially?


Hi sype!

Welcome to the community! :wave:

Typically when you run into an error like this, it’s because the token you are using is missing the correct scopes when using our Terraform Provider.

Because you have tested curling the API (our REST API), I’m going to assume you’ve given read_pipelines, but you’ll want to check that you also have the write_pipelines and write_suites scopes turned on for REST, as well as the token you are using has been enabled for GraphQL API access, as seen here: GitHub - buildkite/terraform-provider-buildkite: Terraform provider for Buildkite. All of these scopes are required for the Terraform Provider to function.

We have also done some work to the provider and released on the newer 1.0.x version now, which we’ve updated the provider docs here: Terraform Registry if you’re curious to see the latest changes and documentation surrounding the new release.

I think I experienced a bug. When I click save after enabling the “write_suites” scope, I get an error. Page not found, sorry, the page you 're trying to access could not be found.

Hey sype!

Do you have Test Analytics enabled? If so, that becomes a required scope to write to suites, but if not you can omit that scope and attempt your terraform plan again with the other 3 and that should work for you.

Hi Jared,

The scopes I see for this account and org are:





















Hi sype!

So you’ll want to enable: read_pipelines, write_pipelines and also check off the GraphQL API access for that token for your terraform plan to work. This is assuming you do not have Test Analytics enabled. I’ve attached a screenshot below.

I am still getting an error when I try to update anything on that page. I uncheck or check a scope box, and I click update api access token and I am met with:

Hi sype!

Oh no, that’s not expected! Can you do me a favour and send in an email to us at, sharing the name of organization you’re a part of and we’ll take a look on our end to see what’s going wrong.