Closed skikkh closed 11 months ago
Hi there @skikkh :wave:!
Thank you for opening an issue. Our team will triage this as soon as we can. Please take a moment to review the troubleshooting steps which lists common error messages and their resolution steps.
Hi @skikkh - thank you for opening an issue. User Project Override is a feature of the calling library/tool (Terraform, gcloud, Python SDK); there's nothing we can do in the auth
action to force downstream libraries/tools to add the X-Goog-User-Project
header.
TL;DR
Currently, when granting permissions of Project B to Project A using Direct Workload Identity Federation, it is necessary to enable the API of the relevant resource in Project A when assigning a role in Project B. This is the current specification.
In Terraform, this can be addressed by setting
user_project_override
to true for each project. However, I do not want to handle this for each project individually.I would like to request a change in the specification so that Project A can call the APIs of each project directly, or alternatively, add this as an optional feature.
Detailed design
No response
Additional information
No response