principalSet not working in google_service_account_iam_policy

AndreasBergmeier6176 commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.
If an issue is assigned to the modular-magician user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned to hashibot, a community member has claimed the issue already.

Terraform Version

Terraform v1.1.6
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v4.33.0

Affected Resource(s)

google_service_account_iam_policy
google_iam_policy (maybe?)

Terraform Configuration Files

data "google_iam_policy" "foo" {
  binding {
    role = "roles/iam.workloadIdentityUser"

    members = [
      "principalSet://iam.googleapis.com/${google_iam_workload_identity_pool.default.workload_identity_pool_id}/attribute.repository/hashicorp/terraform-provider-google",
    ]
  }
}

resource "google_service_account_iam_policy" "foo" {
  service_account_id = google_service_account.foo.name
  policy_data        = data.google_iam_policy.foo.policy_data
}

Expected Behavior

Should just work.

Actual Behavior

Error 400: The member principalSet://iam.googleapis.com/all/attribute.repository/hashicorp/terraform-provider-google is of an unknown type. Please set a valid type prefix for the member., badRequest

Steps to Reproduce

terraform apply

Important Factoids

There were some bugs for that previously - maybe policy was forgotten?

References

0000

edwardmedia commented 2 years ago

@AndreasBergmeier6176 below error is from api and it seems to be clear. There is not much the provider can do. Where did you see this member is valid? Can you create the policy with other methods?

Error 400: The member principalSet://iam.googleapis.com/all/attribute.repository/hashicorp/terraform-provider-google is of an unknown type

AndreasBergmeier6176 commented 2 years ago

@AndreasBergmeier6176 below error is from api and it seems to be clear. There is not much the provider can do. Where did you see this member is valid?

We saw the member working with google_service_account_iam_member. How come it works for _member but not for _policy?

fiadliel commented 2 years ago

I think you need google_iam_workload_identity_pool.default.id instead of google_iam_workload_identity_pool.default.workload_identity_pool_id.

Looking at https://cloud.google.com/iam/docs/workload-identity-federation#impersonation the format is documented as principalSet://iam.googleapis.com/projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/POOL_ID/attribute.ATTRIBUTE_NAME/ATTRIBUTE_VALUE

AndreasBergmeier6176 commented 2 years ago

@fiadliel Thanks a lot. It indeed was the problem. Seems like the error message of the API is a bit misleading.

edwardmedia commented 2 years ago

Closing this then

github-actions[bot] commented 2 years ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-google