PublicGatewayIP not created on the target cluster

[MicheleSica]

Hello

Following the documentation available here: https://marketplace.upbound.io/providers/scaleway/provider-scaleway/v0.3.0/resources/vpc.scaleway.upbound.io/PublicGatewayIP/v1alpha1

we have been unable to create a PublicGatewayIP.

Below is the manifest used:

apiVersion: vpc.scaleway.upbound.io/v1alpha1
kind: PublicGatewayIP
metadata:
  name: vpc-public-gateway-ip
spec:
  forProvider: {}
  providerConfigRef:
    name: crossplane-project 

The object status is

➜  ~ kubectl get publicgatewayip
NAME                   SYNCED   READY   EXTERNAL-NAME   AGE
vpc-public-gateway-ip   False    False                   10m

After 10 minutes, the object has not been created, performing a 'describe object' we can observe an error regarding insufficient permissions

Status:
  At Provider:
  Conditions:
    Last Transition Time:  2024-08-02T09:20:39Z
    Reason:                Creating
    Status:                False
    Type:                  Ready
    Last Transition Time:  2024-08-02T09:23:29Z
    Message:               create failed: apply failed: scaleway-sdk-go: insufficient permissions: write vpc_gw_ip:
    Reason:                ReconcileError
    Status:                False
    Type:                  Synced
    Last Transition Time:  2024-08-02T09:23:29Z
    Reason:                Finished
    Status:                True
    Type:                  AsyncOperation
    Last Transition Time:  2024-08-02T09:20:40Z
    Message:               apply failed: scaleway-sdk-go: insufficient permissions: write vpc_gw_ip:
    Reason:                ApplyFailure
    Status:                False
    Type:                  LastAsyncOperation
Events:
  Type    Reason                   Age                   From                                                            Message
  ----    ------                   ----                  ----                                                            -------
  Normal  CreatedExternalResource  32s (x5 over 3m22s)   managed/vpc.scaleway.upbound.io/v1alpha1, kind=publicgatewayip  Successfully requested creation of external resource
  Normal  PendingExternalResource  22s (x20 over 3m20s)  managed/vpc.scaleway.upbound.io/v1alpha1, kind=publicgatewayip  Waiting for external resource existence to be confirmed

However, the 'scaleway-provider' has a cluster role that should allow the public gateway ip creation:

Resources
gatewaynetworks, gatewaynetworks/status, privatenetworks, privatenetworks/status, publicgatewaydhcps, publicgatewaydhcps/status, publicgatewayips, publicgatewayips/status, publicgatewaypatrules, publicgatewaypatrules/status, publicgateways, publicgateways/status, vpcs, vpcs/status
Verbs
get, list, watch, update, patch, create
Api Groups
vpc.scaleway.upbound.io

We need the PublicGatewayIp to create a PublicGateway.

Could you kindly check?
Thanks in advance.

[bfranchet-nx]

Hello,
I'm currently evaluating the crossplane scaleway provider myself, and I was abble to create a publicGatewayIP.
Reading your trace, I think your permission problem is not on the k8s side ( as the PublicGatewayIP object is created in k8s) but on the permission associate to the scaleway credentials you give to configure the scaleway crossplane provider. In other word maybe the API key you use in your provider doesn't have the right to create a vpc_gw_ip in your targeted scaleway project.
Hope, it helps.