Closed zidz closed 2 years ago
@zidz Terraform and gcloud do not use the exact same methods to handle authentication & authorization. Below is the one recommended for the Terraform. From steps to reproduce
you provided, the issue happens on GKE node(s) but not on your local machine(s). Can you compare if both environments have the same environment variables?
Thank you for taking a look into this @edwardmedia
I don't quite understand how they differ regarding to authentication, would you please elaborate a bit?
Scrolling down a bit in the provider reference documentation it mentions the GOOGLE_OAUTH_ACCESS_TOKEN
environment variable.
It describes how you can use the OAuth Authorization: Bearer
tokens with Terraform, so that's what we've been using for Terraform since start and is now also used with curl to test the possibility to reach and authenticate to the endpoints mentioned in the gists.
Regarding the environment variables there isn't any relevant environment variables at my laptop that isn't in the pod in GKE.
As per the provider reference documentation the only one present on my laptop (and in the pod) that is consumed by Terraform is the GOOGLE_OAUTH_ACCESS_TOKEN
.
Hi,
I don't understand the relation between my bug report and issue #8671 .
I don't see that I've mentioned it before or if it does make any difference but I've also downloaded the Service Account key file and did let Terraform authenticate with that one, not relying on Workload Identity in GKE, the plan ended with the very same error.
We found out that when the Shared VPN has Private Google Access enabled, Terraform has trouble to access some endpoints. So to fix that you have to disable that setting or alter the DNS in a suitable way.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Community Note
modular-magician
user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If an issue is assigned to a user, that user is claiming responsibility for the issue. If an issue is assigned tohashibot
, a community member has claimed the issue already.Terraform Version
Terraform v1.0.1 Google Provider 3.75
Affected Resource(s)
Terraform Configuration Files
provider.tf
iap.tf
Debug Output
403 during plan, resource "google_iap_brand" https://gist.github.com/zidz/4c3dda5180d93de33a18c19f31e868f6
403 during plan, data "google_project" https://gist.github.com/zidz/01c7b46d77a5941a204895d407e94a38
Panic Output
N/A
Expected Behavior
It should be able to make these API calls as they can be done with the exact same oauth token using curl. Terraform is able to deploy all other resources we use in these projects like buckets, GKE clusters and a whole bunch more. The 403 happens only for the API calls made for the ones mentioned above and in the gists. Terraform vs curl API access verified like this:
For project with IAP API 403
For project with billingInfo API 403
This is NOT a intermittent error.
Actual Behaviour
403 on API call, see gists
Steps to Reproduce
If we run this Terraform code from our laptops the plan works as expected. If run from a GKE node connected to our shared VPC this happens. The shared VPC is routed through a on-prem network before reaching internet.
Important Factoids
N/A
References
N/A