oauth2 icon indicating copy to clipboard operation
oauth2 copied to clipboard

Published 20 hours ago verified publisher icon golang

Should check gcloud project Id when fetching ADCs

Open stevenyslee opened this issue 1 year ago • 4 comments

https://github.com/golang/oauth2/blob/ebe81ad83719fe3426335b22e40a1e3a76fa45c0/google/default.go#L36

Should get the quota project when fetching ADCs. This has caused terraform apply to fail with:

│ Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/764086051850",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]
│ 
│   with module.cs-org-policy-storage_publicAccessPrevention.google_org_policy_policy.org_policy_boolean[0],
│   on .terraform/modules/cs-org-policy-storage_publicAccessPrevention/modules/org_policy_v2/boolean_constraints.tf line 20, in resource "google_org_policy_policy" "org_policy_boolean":
│   20: resource "google_org_policy_policy" "org_policy_boolean" {

despite the billing and quota project being set in gcloud.

stevenyslee avatar Feb 16 '24 01:02 stevenyslee

I'm running into the same issue. I noticed in my case, the project number showing up does not match the quota project's number:

"consumer": "projects/764086051850"

Have you found a fix?

jado06 avatar Apr 26 '24 17:04 jado06

I was able to get around it by manually setting the project in the environment variable

export USER_PROJECT_OVERRIDE=true # force resources to send a billing project
export GOOGLE_BILLING_PROJECT=your-quota-project # override the billing project for all resources
terraform apply

stevenyslee avatar Apr 29 '24 22:04 stevenyslee

I was able to get around it by manually setting the project in the environment variable

You can also configure the provider instead of using environment variables.

provider "google" {
  region                = "europe-west10"
  project               = "my-project"
  billing_project       = "my-project"
  user_project_override = true
}

taisph avatar Apr 30 '24 11:04 taisph

Thank you both, that workaround worked for me.

That being said, since the original issue still persists, I'm sharing the Github issue I created for it for reference. Feel free to add a thumbs up for additional visibility from the product team.

  • https://github.com/hashicorp/terraform-provider-google/issues/17998

jado06 avatar May 02 '24 17:05 jado06