Description
There is no Terraform resource for managing account invitations. Users must invite members to accounts manually via the console, which doesn't scale for onboarding automation.
Blocker: ACTOR_TYPE_USER restriction
The CreateAccountInvite API endpoint enforces ACTOR_TYPE_USER server-side. Management keys (used by the Terraform provider) receive 403 permission denied:
POST /api/account/v1/accounts/{account_id}/invites
Authorization: apikey <management-key>
→ {"code": 403, "message": "permission denied - not granted"}
Other invite operations work with management keys:
ListAccountInvites (GET) — worksGetAccountInvite (GET) — worksDeleteAccountInvite (DELETE) — worksCreateAccountInvite (POST) — blocked (ACTOR_TYPE_USER only)
Requested Resource
resource "qdrant-cloud_accounts_invite" "example" {
account_id = "..."
user_email = "alice@example.com"
user_role_ids = ["role-uuid-1", "role-uuid-2"] # optional, roles assigned on accept
}The API supports user_role_ids on invite creation — roles are pre-assigned when the user accepts.
Suggested Solutions (either would unblock this)
Option A: Relax ACTOR_TYPE_USER on CreateAccountInvite (server-side)
Allow management keys to call CreateAccountInvite. This is the simplest change and would immediately unblock a Terraform resource.
The proto annotation:
rpc CreateAccountInvite(...) returns (...) {
option (qdrant.cloud.common.v1.supported_actor_types) = ACTOR_TYPE_USER;
}Could be changed to also allow ACTOR_TYPE_MANAGEMENT_KEY.
Option B: Add user-level auth to the provider
Support OAuth2/Auth0 token authentication alongside management keys. This would allow the provider to call ACTOR_TYPE_USER-restricted endpoints.
Use Case
We manage Qdrant Cloud IAM via Terraform (roles, user assignments) for onboarding/offboarding. SSO handles authentication but does not auto-provision users to accounts (confirmed by Qdrant support — feature on roadmap). Without invite automation, every new team member requires manual console action per account.
Related
Description
There is no Terraform resource for managing account invitations. Users must invite members to accounts manually via the console, which doesn't scale for onboarding automation.
Blocker: ACTOR_TYPE_USER restriction
The
CreateAccountInviteAPI endpoint enforcesACTOR_TYPE_USERserver-side. Management keys (used by the Terraform provider) receive403 permission denied:Other invite operations work with management keys:
ListAccountInvites(GET) — worksGetAccountInvite(GET) — worksDeleteAccountInvite(DELETE) — worksCreateAccountInvite(POST) — blocked (ACTOR_TYPE_USER only)Requested Resource
The API supports
user_role_idson invite creation — roles are pre-assigned when the user accepts.Suggested Solutions (either would unblock this)
Option A: Relax ACTOR_TYPE_USER on CreateAccountInvite (server-side)
Allow management keys to call
CreateAccountInvite. This is the simplest change and would immediately unblock a Terraform resource.The proto annotation:
rpc CreateAccountInvite(...) returns (...) { option (qdrant.cloud.common.v1.supported_actor_types) = ACTOR_TYPE_USER; }Could be changed to also allow
ACTOR_TYPE_MANAGEMENT_KEY.Option B: Add user-level auth to the provider
Support OAuth2/Auth0 token authentication alongside management keys. This would allow the provider to call ACTOR_TYPE_USER-restricted endpoints.
Use Case
We manage Qdrant Cloud IAM via Terraform (roles, user assignments) for onboarding/offboarding. SSO handles authentication but does not auto-provision users to accounts (confirmed by Qdrant support — feature on roadmap). Without invite automation, every new team member requires manual console action per account.
Related