gravitational · nklaassen · Feb 21, 2023 · Feb 18, 2023 · Feb 21, 2023
diff --git a/lib/auth/access_request_test.go b/lib/auth/access_request_test.go
@@ -257,7 +257,7 @@ func testSingleAccessRequests(t *testing.T, testPack *accessRequestTestPack) {
 			desc:               "no search_as_roles",
 			requester:          "nobody",
 			requestResources:   []string{"prod"},
-			expectRequestError: trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`),
+			expectRequestError: trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "nobody"`),
 		},
 	}
 	for _, tc := range testCases {

diff --git a/lib/services/access_request.go b/lib/services/access_request.go
@@ -230,7 +230,7 @@ func (m *RequestValidator) applicableSearchAsRoles(ctx context.Context, resource
 		rolesToRequest = append(rolesToRequest, roleName)
 	}
 	if len(rolesToRequest) == 0 {
-		return nil, trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`)
+		return nil, trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user %q`, m.user.GetName())
 	}
 
 	// Prune the list of roles to request to only those which may be necessary

diff --git a/lib/services/access_request_test.go b/lib/services/access_request_test.go
@@ -990,13 +990,13 @@ func TestRolesForResourceRequest(t *testing.T) {
 			desc:               "deny search",
 			currentRoles:       []string{"db-response-team", "deny-db-search"},
 			requestResourceIDs: resourceIDs,
-			expectError:        trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`),
+			expectError:        trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "test-user"`),
 		},
 		{
 			desc:               "deny request",
 			currentRoles:       []string{"db-response-team", "deny-db-request"},
 			requestResourceIDs: resourceIDs,
-			expectError:        trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`),
+			expectError:        trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "test-user"`),
 		},
 		{
 			desc:                 "multi allowed roles",
@@ -1028,7 +1028,7 @@ func TestRolesForResourceRequest(t *testing.T) {
 			desc:               "no allowed roles",
 			currentRoles:       nil,
 			requestResourceIDs: resourceIDs,
-			expectError:        trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`),
+			expectError:        trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "test-user"`),
 		},
 	}
 	for _, tc := range testCases {

diff --git a/tool/tsh/tsh.go b/tool/tsh/tsh.go
@@ -2897,9 +2897,11 @@ func retryWithAccessRequest(cf *CLIConf, tc *client.TeleportClient, fn func() er
 	// Try to construct an access request for this node.
 	req, err := accessRequestForSSH(cf.Context, tc)
 	if err != nil {
-		// We can't request access to the node or it doesn't exist, return the
-		// original error but put this one in the debug log.
-		log.WithError(err).Debug("unable to request access to node")
+		// We can't request access to the node or we couldn't query the ID. Log
+		// a short debug message in case this is unexpected, but return the
+		// original AccessDenied error from the ssh attempt which is likely to
+		// be far more relevant to the user.
+		log.Debugf("Not attempting to automatically request access, reason: %v", err)
 		return trace.Wrap(origErr)
 	}
 	cf.RequestID = req.GetName()