Currently some resources in heat can't be created when - enforce_new_default and enforce_scope are both True in keystone. and - dedicated domain (which is configured by stack_user_domain_id/name) is used for heat template-defined users Heat attempts to create a user within the stack domain for notifications but the process to create the user fails because heat can't list roles with domain admin credential. ``` pr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource Traceback (most recent call last): Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 922, in _action_recorder Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource yield Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 1034, in _do_action Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource yield from self.action_handler_task(action, args=handler_args) Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resource.py", line 976, in action_handler_task Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource handler_data = handler(*args) Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/openstack/heat/scaling_policy.py", line 127, in handle_create Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource super(AutoScalingPolicy, self).handle_create() Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 30, in handle_create Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource self._create_user() Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/resources/stack_user.py", line 44, in _create_user Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource user_id = self.keystone().create_stack_domain_user( Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/opt/stack/heat/heat/engine/clients/os/keystone/heat_keystoneclient.py", line 373, in create_stack_domain_user Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource stack_user_role = self.domain_admin_client.roles.list( Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/usr/local/lib/python3.10/dist-packages/keystoneclient/v3/roles.py", line 203, in list Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource return super(RoleManager, self).list(**kwargs) ... Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource File "/usr/local/lib/python3.10/dist-packages/keystoneauth1/session.py", line 985, in request Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource raise exceptions.from_response(resp, method, url) Apr 10 13:13:22.850754 np0037258084 heat-engine[89669]: 2024-04-10 13:13:22.847 89669 TRACE heat.engine.resource keystoneauth1.exceptions.http.Forbidden: You are not authorized to perform the requested action: identity:list_roles. (HTTP 403) (Request-ID: req-788fee8a-55e0-4070-921f-8558c2939b48) ```