Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using groups datasources fails with quota project error when authenticating as a non-service-account user #465

Open
andrewesweet opened this issue Sep 14, 2023 · 2 comments · May be fixed by #466
Open

Using groups datasources fails with quota project error when authenticating as a non-service-account user #465

andrewesweet opened this issue Sep 14, 2023 · 2 comments · May be fixed by #466

Comments

@andrewesweet
Copy link

Terraform Version

1.5.x and 1.6.0-beta1 on windows_amd64.

Affected Resource(s)

Please list the resources as a list, for example:

  • datasource googleworkspace_groups
  • datasource googleworkspace_group
  • datasource googleworkspace_group_members

Terraform Configuration Files

provider "googleworkspace" {
  customer_id = "xxx"
}

data "googleworkspace_groups" "groups" {
}

output "groups" {
  value = data.googleworkspace_groups.groups
}

Debug Output

The salient bit is the groups list API call:

GET /admin/directory/v1/groups?alt=json%customer=xxx&prettyPrint=false HTTP/1.1
Host: admin.googleapis.com
User-Agent: google-api-go-client/0.5
X-Goog-Api-Client: gl-go/1.16.2 gdcl/0.79.0
Accept-Encoding: gzip

Panic Output

N/A

Expected Behavior

x-goog-user-project header should have been set to the quota project specified in the Application Default Credential and/or relevant environment variables.

Actual Behavior

The header is not sent. The API call returns a 403 and the following error message is rendered:

Error: Error when reading or editing groups: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials.
The admin.googleapis.com API requires a quota project, which is not set by default.

Steps to Reproduce

  1. Ensure your personal interactive account, not a service account, has the appropriate Google Workspace permissions. I assigned myself the "Group Reader" role for this test.
  2. Set the customer_id attribute of the provider accordingly.
  3. Create an Application Default Credential with gcloud auth application-default login. Ensure you include "https://www.googleapis.com/auth/admin.directory.group" or "https://www.googleapis.com/auth/admin.directory.group.readonly" in the scopes.
  4. Set a quota project using gcloud auth application-default set-quota-project foo or by exporting GOOGLE_CLOUD_QUOTA_PROJECT=foo.
  5. Execute terraform plan.

Important Factoids

The issue does not reproduce if using Service Account credentials. You can also reproduce this issue by setting the access_token provider attribute to the result of gcloud auth application-default print-access-token.

References

None
andrewesweet added a commit to andrewesweet/terraform-provider-googleworkspace that referenced this issue Sep 14, 2023
@andrewesweet
Bump dependencies & go version to resolve hashicorp#465
14c205d
@andrewesweet andrewesweet linked a pull request Sep 14, 2023 that will close this issue
Open
@Syndorik
Copy link

I also came accross this issue, have you found any solution for this (except from using service accounts)?

@timeyr
Copy link

timeyr commented Feb 26, 2024

As a workaround, you can switch to https://registry.terraform.io/providers/SamuZad/googleworkspace/latest (see #464).

That version does not fix the issue completely, but it works if you set the GOOGLE_CLOUD_QUOTA_PROJECT env var prior to running Terraform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump dependencies & go version to resolve #465 andrewesweet/terraform-provider-googleworkspace
3 participants
@andrewesweet @timeyr @Syndorik