Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provider does not work with user credentials #140

Closed
ericnorris opened this issue Aug 18, 2021 · 0 comments · Fixed by #156
Closed

Provider does not work with user credentials #140

ericnorris opened this issue Aug 18, 2021 · 0 comments · Fixed by #156
Assignees
Labels
bug Something isn't working

Comments

@ericnorris
Copy link

Terraform Version

$ terraform version
Terraform v1.0.4
on darwin_amd64
+ provider registry.terraform.io/hashicorp/google v3.74.0
+ provider registry.terraform.io/hashicorp/googleworkspace v0.4.0

Affected Resource(s)

  • googleworkspace_group

Terraform Configuration Files

resource "googleworkspace_group" "iam" {
  email       = var.email
  name        = var.name
  description = var.description
}

Debug Output

N/A

Panic Output

N/A

Expected Behavior

Running terraform import works.

Actual Behavior

╷
│ Error: googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the admin.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/. If you are getting this error with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP header for quota and billing purposes. For more information regarding 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters., accessNotConfigured
│
│
╵

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. gcloud auth application-default login --scopes "https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/admin.directory.group.readonly"
  2. terraform import

Important Factoids

I believe there are two separate ways this issue could be solved: one, the provider could respect the impersonated_user_email setting when used with application default credentials (currently it only does when an explicit JWT is passed, see [1]); or two, the provider could implement a billing_project setting (similar to the google provider: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#billing_project).

[1]

if c.Credentials != "" {
contents, _, err := pathOrContents(c.Credentials)
if err != nil {
return diag.FromErr(err)
}
jwtConfig, err := googleoauth.JWTConfigFromJSON([]byte(contents), c.ClientScopes...)
if err != nil {
return diag.FromErr(err)
}
jwtConfig.Subject = c.ImpersonatedUserEmail
cleanCtx := context.WithValue(ctx, oauth2.HTTPClient, cleanhttp.DefaultClient())
// 1. OAUTH2 TRANSPORT/CLIENT - sets up proper auth headers
client := jwtConfig.Client(cleanCtx)
// 2. Logging Transport - ensure we log HTTP requests to admin APIs.
loggingTransport := logging.NewTransport("Google Workspace", client.Transport)
// Set final transport value.
client.Transport = loggingTransport
c.client = client
}

References

None that I could find.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants