search

hashicorp / terraform-provider-googleworkspace

Terraform Provider for Google Workspace
https://registry.terraform.io/providers/hashicorp/googleworkspace
Mozilla Public License 2.0
130 stars 58 forks source link

Fix Impersonation Under Access Token Method #370

Open tgoodsell-tempus opened 2 years ago

tgoodsell-tempus commented 2 years ago

What: When using the current configurations to do a impersonated_user_email using a defined access_token, the call is using the under the hood signJwt method and improperly setting up the impersonated token. This switches to the better supported generateAccessToken API method.

Why: Even with the iam.serviceAccountTokenCreator role applied, the signJwt method is providing a 403 error when attempting this operation. However, using the generateAccessToken method succeeds as expected. Ultimately this produces the same access token required for the client.

amontalban commented 1 year ago

Thank you so much @tgoodsell-tempus this fixed my issues after loosing SEVERAL HOURS figuring out what was not working.

I have an AWS IAM Role that is impersonating a ServiceAccount using Workload Identity Federation which then impersonates a ServiceAccount that manages Google Workspace so figuring this out was kind of hard until Google pointed me to this PR 🙏 .

@SarahFrench @megan07 Can we have this merged, please?

amontalban commented 1 year ago

@sheneska do you think we can merge this? Thanks! 🙏