terraform-provider-googleworkspace icon indicating copy to clipboard operation
terraform-provider-googleworkspace copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

CREDENTIALS_MISSING error with service account

Open awolde opened this issue 2 years ago • 4 comments

Hi there,

I am having difficulties authenticating using this provider. It looks like the only means I can auth is using access_token. I tried using export GOOGLEWORKSPACE_CREDENTIALS=key.json or even setting the credentials file directly on the provider block like shown below.

Terraform Version

Terraform v1.1.6.

Affected Resource(s)

Provider issue

Terraform Configuration Files

provider "googleworkspace" {
  credentials = "key.json"
  customer_id = "xxxxxx"
  service_account = "[email protected]"
#  access_token = "" #works with only access token
  oauth_scopes = [
    "https://www.googleapis.com/auth/admin.directory.user",
    "https://www.googleapis.com/auth/admin.directory.userschema",
    "https://www.googleapis.com/auth/admin.directory.group",
    "https://www.googleapis.com/auth/admin.directory.groupschema",
    "https://www.googleapis.com/auth/directory.group",
    "https://apps-apis.google.com/a/feeds/groups/",
  ]
}

resource "googleworkspace_group" "bk" {
  email       = "[email protected]"
  name        = "[email protected]"
  description = "Admin group"
}

LOG output

2022-09-30T10:39:16.734-0500 [INFO]  provider.terraform-provider-googleworkspace: 2022/09/30 10:39:16 [DEBUG] Retry Transport: Stopping retries, last request failed with non-retryable error: googleapi: got HTTP response code 401 with body: HTTP/2.0 401 Unauthorized
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Fri, 30 Sep 2022 15:39:16 GMT
Server: ESF
Vary: Origin
Vary: X-Origin
Vary: Referer
Www-Authenticate: Bearer realm="https://accounts.google.com/"
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "error": {
    "code": 401,
    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
    "errors": [
      {
        "message": "Login Required.",
        "domain": "global",
        "reason": "required",
        "location": "Authorization",
        "locationType": "header"
      }
    ],
    "status": "UNAUTHENTICATED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "CREDENTIALS_MISSING",
        "domain": "googleapis.com",
        "metadata": {
          "method": "ccc.hosted.frontend.directory.v1.DirectoryGroups.Insert",
          "service": "admin.googleapis.com"
        }
      }
    ]
  }
}

awolde avatar Sep 30 '22 15:09 awolde

I am able to use the provider with a GCP service account file. I had to reference the service account file as an absolute path in the credentials field of the provider block. If I provided a relative path to the credential file I would get an error for an unexpected format or something like that. You might try that and see if it works.

stm9443 avatar Oct 01 '22 01:10 stm9443

Having only the customer id in the provider worked

provider "googleworkspace" {
  customer_id = "xxxxxxx"
}

And then export GOOGLEWORKSPACE_CREDENTIALS=key.json

awolde avatar Oct 01 '22 04:10 awolde

Hi, I've got the same issue. Any ideas ?

│ Error: googleapi: Error 403: Not Authorized to access this resource/api, forbidden

provider "googleworkspace" {
  credentials             = "credentials/service-account.json"
  customer_id             = "Bla-Bla-45"
  impersonated_user_email = "[email protected]"
  oauth_scopes = [
    "https://www.googleapis.com/auth/admin.directory.group",
    "https://www.googleapis.com/auth/apps.groups.settings",
    "https://www.googleapis.com/auth/admin.directory.group.member",
    "https://www.googleapis.com/auth/admin.directory.user.readonly",
    "https://www.googleapis.com/auth/admin.directory.user",
    "https://www.googleapis.com/auth/admin.directory.userschema",
    "https://www.googleapis.com/auth/iam"
  ]
}

AlKapkone avatar Feb 03 '23 11:02 AlKapkone

Hi All,

I have the same issue.

Error: googleapi: Error 401: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.

I have tried the following:

  1. Set the credentials field to have absolute path of the service account key json file
  2. Set the environment variable, GOOGLEWORKSPACE_CREDENTIALS, to have the absolute path of the service account key json file

Does anyone have similar experience and know of solution? Thanks.

tanng1999 avatar Feb 11 '23 08:02 tanng1999