Using groups datasources fails with quota project error when authenticating as a non-service-account user - Githubissues

hashicorp / terraform-provider-googleworkspace

Terraform Provider for Google Workspace

https://registry.terraform.io/providers/hashicorp/googleworkspace

Mozilla Public License 2.0

129 stars 56 forks source link

Using groups datasources fails with quota project error when authenticating as a non-service-account user #465

Open andrewesweet opened 10 months ago

andrewesweet commented 10 months ago

Terraform Version

1.5.x and 1.6.0-beta1 on windows_amd64.

Affected Resource(s)

Please list the resources as a list, for example:

datasource googleworkspace_groups
datasource googleworkspace_group
datasource googleworkspace_group_members

Terraform Configuration Files

provider "googleworkspace" {
  customer_id = "xxx"
}

data "googleworkspace_groups" "groups" {
}

output "groups" {
  value = data.googleworkspace_groups.groups
}

Debug Output

The salient bit is the groups list API call:

GET /admin/directory/v1/groups?alt=json%customer=xxx&prettyPrint=false HTTP/1.1
Host: admin.googleapis.com
User-Agent: google-api-go-client/0.5
X-Goog-Api-Client: gl-go/1.16.2 gdcl/0.79.0
Accept-Encoding: gzip

Panic Output

N/A

Expected Behavior

x-goog-user-project header should have been set to the quota project specified in the Application Default Credential and/or relevant environment variables.

Actual Behavior

The header is not sent. The API call returns a 403 and the following error message is rendered:

Error: Error when reading or editing groups: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials.
The admin.googleapis.com API requires a quota project, which is not set by default.

Steps to Reproduce

Ensure your personal interactive account, not a service account, has the appropriate Google Workspace permissions. I assigned myself the "Group Reader" role for this test.
Set the customer_id attribute of the provider accordingly.
Create an Application Default Credential with gcloud auth application-default login. Ensure you include "https://www.googleapis.com/auth/admin.directory.group" or "https://www.googleapis.com/auth/admin.directory.group.readonly" in the scopes.
Set a quota project using gcloud auth application-default set-quota-project foo or by exporting GOOGLE_CLOUD_QUOTA_PROJECT=foo.
Execute terraform plan.

Important Factoids

The issue does not reproduce if using Service Account credentials. You can also reproduce this issue by setting the access_token provider attribute to the result of gcloud auth application-default print-access-token.

References

None

Syndorik commented 4 months ago

I also came accross this issue, have you found any solution for this (except from using service accounts)?

timeyr commented 4 months ago

As a workaround, you can switch to https://registry.terraform.io/providers/SamuZad/googleworkspace/latest (see https://github.com/hashicorp/terraform-provider-googleworkspace/issues/464).

That version does not fix the issue completely, but it works if you set the GOOGLE_CLOUD_QUOTA_PROJECT env var prior to running Terraform.