terraform-provider-googleworkspace icon indicating copy to clipboard operation
terraform-provider-googleworkspace copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Using groups datasources fails with quota project error when authenticating as a non-service-account user

Open andrewesweet opened this issue 1 year ago • 2 comments

Terraform Version

1.5.x and 1.6.0-beta1 on windows_amd64.

Affected Resource(s)

Please list the resources as a list, for example:

  • datasource googleworkspace_groups
  • datasource googleworkspace_group
  • datasource googleworkspace_group_members

Terraform Configuration Files

provider "googleworkspace" {
  customer_id = "xxx"
}

data "googleworkspace_groups" "groups" {
}

output "groups" {
  value = data.googleworkspace_groups.groups
}

Debug Output

The salient bit is the groups list API call:

GET /admin/directory/v1/groups?alt=json%customer=xxx&prettyPrint=false HTTP/1.1
Host: admin.googleapis.com
User-Agent: google-api-go-client/0.5
X-Goog-Api-Client: gl-go/1.16.2 gdcl/0.79.0
Accept-Encoding: gzip

Panic Output

N/A

Expected Behavior

x-goog-user-project header should have been set to the quota project specified in the Application Default Credential and/or relevant environment variables.

Actual Behavior

The header is not sent. The API call returns a 403 and the following error message is rendered:

Error: Error when reading or editing groups: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials.
The admin.googleapis.com API requires a quota project, which is not set by default.

Steps to Reproduce

  1. Ensure your personal interactive account, not a service account, has the appropriate Google Workspace permissions. I assigned myself the "Group Reader" role for this test.
  2. Set the customer_id attribute of the provider accordingly.
  3. Create an Application Default Credential with gcloud auth application-default login. Ensure you include "https://www.googleapis.com/auth/admin.directory.group" or "https://www.googleapis.com/auth/admin.directory.group.readonly" in the scopes.
  4. Set a quota project using gcloud auth application-default set-quota-project foo or by exporting GOOGLE_CLOUD_QUOTA_PROJECT=foo.
  5. Execute terraform plan.

Important Factoids

The issue does not reproduce if using Service Account credentials. You can also reproduce this issue by setting the access_token provider attribute to the result of gcloud auth application-default print-access-token.

References

None

andrewesweet avatar Sep 14 '23 19:09 andrewesweet