diff --git a/lib/auth/access_request_test.go b/lib/auth/access_request_test.go index 280718f9057c6..e2cb9f448b339 100644 --- a/lib/auth/access_request_test.go +++ b/lib/auth/access_request_test.go @@ -261,7 +261,7 @@ func testSingleAccessRequests(t *testing.T, testPack *accessRequestTestPack) { desc: "no search_as_roles", requester: "nobody", requestResources: []string{"prod"}, - expectRequestError: trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`), + expectRequestError: trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "nobody"`), }, } for _, tc := range testCases { diff --git a/lib/services/access_request.go b/lib/services/access_request.go index cd17ce49acae3..2c857d03302c6 100644 --- a/lib/services/access_request.go +++ b/lib/services/access_request.go @@ -184,7 +184,7 @@ func (m *RequestValidator) applicableSearchAsRoles(ctx context.Context, resource rolesToRequest = append(rolesToRequest, roleName) } if len(rolesToRequest) == 0 { - return nil, trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`) + return nil, trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user %q`, m.user.GetName()) } // Prune the list of roles to request to only those which may be necessary diff --git a/lib/services/access_request_test.go b/lib/services/access_request_test.go index 6f1baea7b9b48..8d9c2d8b4c792 100644 --- a/lib/services/access_request_test.go +++ b/lib/services/access_request_test.go @@ -974,13 +974,13 @@ func TestRolesForResourceRequest(t *testing.T) { desc: "deny search", currentRoles: []string{"db-response-team", "deny-db-search"}, requestResourceIDs: resourceIDs, - expectError: trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`), + expectError: trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "test-user"`), }, { desc: "deny request", currentRoles: []string{"db-response-team", "deny-db-request"}, requestResourceIDs: resourceIDs, - expectError: trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`), + expectError: trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "test-user"`), }, { desc: "multi allowed roles", @@ -1012,7 +1012,7 @@ func TestRolesForResourceRequest(t *testing.T) { desc: "no allowed roles", currentRoles: nil, requestResourceIDs: resourceIDs, - expectError: trace.BadParameter(`user attempted a resource request but does not have any "search_as_roles"`), + expectError: trace.AccessDenied(`Resource Access Requests require usable "search_as_roles", none found for user "test-user"`), }, } for _, tc := range testCases { diff --git a/tool/tsh/tsh.go b/tool/tsh/tsh.go index 097e60bdfd6c0..45c7edfaf4772 100644 --- a/tool/tsh/tsh.go +++ b/tool/tsh/tsh.go @@ -2775,9 +2775,11 @@ func retryWithAccessRequest(cf *CLIConf, tc *client.TeleportClient, fn func() er // Try to construct an access request for this node. req, err := accessRequestForSSH(cf.Context, tc) if err != nil { - // We can't request access to the node or it doesn't exist, return the - // original error but put this one in the debug log. - log.WithError(err).Debug("unable to request access to node") + // We can't request access to the node or we couldn't query the ID. Log + // a short debug message in case this is unexpected, but return the + // original AccessDenied error from the ssh attempt which is likely to + // be far more relevant to the user. + log.Debugf("Not attempting to automatically request access, reason: %v", err) return trace.Wrap(origErr) } cf.RequestID = req.GetName()