Error 403: Request had insufficient authentication scopes. #259
Comments
|
Hi @dsiebel ! I'm sorry that you're running into this issue, I'd like to help out here as best I can. It seems to me it might be a scopes issue. So, the scopes that you grant to your service account needs to match, or be a superset, of the The other thing I want to check is that I see the service account being impersonated via workload identity is working correctly, are you using credentials from a different service account locally? |
|
Hey @megan07, thanks for taking the time and getting back to me! and neither this nor configuring the two proposed scopes works. The error remains the same. It works perfectly fine with the service account, but it does not work with my personalized user, relying on application default credentials. |
|
@dsiebel ahh! ok! Did you use the I think you'll want to list the same scopes there. Let me know if that helps! Thanks! |
|
When I tried Google Login was telling me that the "App is blocked", so, naturally, I assumed that this was something I wasn't supposed to do. Thanks a bunch @megan07 ! 🙂 |
|
Thanks for the extra information @dsiebel ! I'm happy it's working! |
@dsiebel would you be so kind as to share how exactly you enable "trust" to Google Auth Library / gcloud SDK applications? I'm failing to generate application default credentials using ...after attempting to consent in browser I am getting:
Upd. Found it. One should go to https://admin.google.com/ac/owl/list?tab=configuredApps, and whitelist the app there using |
@gmile Did you manage to solve it with that? The project number mentioned is none of ours though. UPDATE I am guessing that's what #264 is about? |
|
I found this medium article researching the project number. I have been meaning to give it a try. |
|
I managed to get it working using service account impersonation all the way. provider "google" {
alias = "sa_auth"
project = local.service_project
}
data "google_service_account_access_token" "impersonatee" {
provider = google.sa_auth
target_service_account = local.service_account
scopes = [
"https://www.googleapis.com/auth/admin.directory.user",
"https://www.googleapis.com/auth/admin.directory.group",
"https://www.googleapis.com/auth/apps.groups.settings",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/iam",
]
}
provider "googleworkspace" {
customer_id = "<redacted>"
access_token = data.google_service_account_access_token.impersonatee.access_token
service_account = local.service_account
oauth_scopes = [
"https://www.googleapis.com/auth/admin.directory.user",
"https://www.googleapis.com/auth/admin.directory.group",
"https://www.googleapis.com/auth/apps.groups.settings",
"https://www.googleapis.com/auth/cloud-platform",
"https://www.googleapis.com/auth/iam",
]
}
[...]Important to note, that the access scopes need to match, as also mentioned in this issue and it obviously requires you to have |
@dsiebel precisely, yes.
It appears that service account's access token is being part of Terraform state? I was looking for ways to specifically avoid storing any service account credentials as part of .tf state 🤔 For context, we are a small team, each of us runs terraform locally on our computers. Ideally, we don't want to infiltrate the .tf state with the access tokens that allow controlling users / groups at the organisation level, as I find it to be quite risky. Ideally, in our situation, all control would be done using local developer credentials, found on the computer. |
|
@gmile it's also possible to specify impersonation with an environment variable, https://cloud.google.com/blog/topics/developers-practitioners/using-google-cloud-service-account-impersonation-your-terraform-code - afaik that approach avoids storing tokens in the state. (Otherwise, the Terraform state storage can be set up to be accessible only by people who have 'generateAccessToken' privileges anyway, and the token otherwise has a short expiration.) |
|
Sorry, for the delay. My answers below.
No it is not. The access token is retrieved using a Terraform datasource. That is why the user interacting with the terraform state need to have EDIT: now that I wrote that I am suddently not sure whether the value of the data source will be persisted in the remote state (GCS) or not 🤔 |
Preface
This might be more of a "request for comment/clarification" than an actual bug.
What we are currently observing is the following:
We can plan and apply changes just fine from a GKE cluster with a Service Account using Workload Identity, but when we try to run import/plan/apply locally, using our personal users it fails with the error described below.
The Service Account has role
Groups Admin, while the personal accounts we were testing with haveSuperAdminrole in Google Workspace.We were already in contact with Google (Workspace) Support several times and got nowhere.
They are not officially supporting Terraform and always suggest to "reach out to terraform".
So here it goes:
Terraform Version
1.1.5
Affected Resource(s)
googleworkspace_groupsubsequently:
googleworkspace_group_settingsgoogleworkspace_group_membersTerraform Configuration Files
Debug Output
https://gist.github.com/dsiebel/5950f119bff40c11d9c27f737c964fb8
Panic Output
N/A
Expected Behavior
A new group to be created in Google Workspace.
Actual Behavior
terraform planshows the group will be created. Onterraform applythe API response is:Also when running plan after a previous apply (see preface), the plan already fails when trying to read an existing group.
Steps to Reproduce
terraform applyImportant Factoids
We are running terraform via Atlantis in a GKE cluster which uses a Service Account via Workload Identity to apply the changes. This Service Account has "Groups Admin" role in Google Workspace.
This work perfectly fine, however when trying to plan/apply locally, using our local users (
SuperAdminon Google Workspace), the aforementioned error occurs.References
N/A
The text was updated successfully, but these errors were encountered: