review changes 5 (improve note docs)

h3adex · h3adex · commit c30f6a0b38a3 · 2025-11-28T16:22:07.000+01:00
Signed-off-by: Mauritz Uphoff &lt;mauritz.uphoff@stackit.cloud&gt;
diff --git a/docs/ephemeral-resources/access_token.md b/docs/ephemeral-resources/access_token.md
@@ -3,13 +3,16 @@
 page_title: "stackit_access_token Ephemeral Resource - stackit"
 subcategory: ""
 description: |-
-  Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Token generation logic prioritizes environment variables first, followed by provider configuration. Access tokens generated from service account keys expire after 60 minutes.
+  Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Access tokens generated from service account keys expire after 60 minutes.
+  ~> Service account key credentials must be configured either in the STACKIT provider configuration or via environment variables (see example below). If any other authentication method is configured, this ephemeral resource generation will fail with an error.
   ~> This ephemeral-resource is in beta and may be subject to breaking changes in the future. Use with caution. See our guide https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources for how to opt-in to use beta resources.
 ---
 
 # stackit_access_token (Ephemeral Resource)
 
-Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Token generation logic prioritizes environment variables first, followed by provider configuration. Access tokens generated from service account keys expire after 60 minutes.
+Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. Access tokens generated from service account keys expire after 60 minutes.
+
+~> Service account key credentials must be configured either in the STACKIT provider configuration or via environment variables (see example below). If any other authentication method is configured, this ephemeral resource generation will fail with an error.
 
 ~> This ephemeral-resource is in beta and may be subject to breaking changes in the future. Use with caution. See our [guide](https://registry.terraform.io/providers/stackitcloud/stackit/latest/docs/guides/opting_into_beta_resources) for how to opt-in to use beta resources.
 
diff --git a/stackit/internal/services/access_token/ephemeral_resource.go b/stackit/internal/services/access_token/ephemeral_resource.go
@@ -36,7 +36,7 @@ func (e *accessTokenEphemeralResource) Configure(ctx context.Context, req epheme
 
 	features.CheckBetaResourcesEnabled(
 		ctx,
-		&core.ProviderData{EnableBetaResources: ephemeralProviderData.EnableBetaResources},
+		&ephemeralProviderData.ProviderData,
 		&resp.Diagnostics,
 		"stackit_access_token", "ephemeral_resource",
 	)
@@ -62,12 +62,21 @@ func (e *accessTokenEphemeralResource) Metadata(_ context.Context, req ephemeral
 }
 
 func (e *accessTokenEphemeralResource) Schema(_ context.Context, _ ephemeral.SchemaRequest, resp *ephemeral.SchemaResponse) {
+	description := features.AddBetaDescription(
+		fmt.Sprintf(
+			"%s\n\n%s",
+			"Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. "+
+				"A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. "+
+				"If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. "+
+				"Access tokens generated from service account keys expire after 60 minutes.",
+			"~> Service account key credentials must be configured either in the STACKIT provider configuration or via environment variables (see example below). "+
+				"If any other authentication method is configured, this ephemeral resource generation will fail with an error.",
+		),
+		core.EphemeralResource,
+	)
+
 	resp.Schema = schema.Schema{
-		Description: features.AddBetaDescription("Ephemeral resource that generates a short-lived STACKIT access token (JWT) using a service account key. "+
-			"A new token is generated each time the resource is evaluated, and it remains consistent for the duration of a Terraform operation. "+
-			"If a private key is not explicitly provided, the provider attempts to extract it from the service account key instead. "+
-			"Token generation logic prioritizes environment variables first, followed by provider configuration. "+
-			"Access tokens generated from service account keys expire after 60 minutes.", core.EphemeralResource),
+		Description: description,
 		Attributes: map[string]schema.Attribute{
 			"access_token": schema.StringAttribute{
 				Description: "JWT access token for STACKIT API authentication.",
