Open andrewesweet opened 10 months ago
I also came accross this issue, have you found any solution for this (except from using service accounts)?
As a workaround, you can switch to https://registry.terraform.io/providers/SamuZad/googleworkspace/latest (see https://github.com/hashicorp/terraform-provider-googleworkspace/issues/464).
That version does not fix the issue completely, but it works if you set the GOOGLE_CLOUD_QUOTA_PROJECT
env var prior to running Terraform.
Terraform Version
1.5.x and 1.6.0-beta1 on windows_amd64.
Affected Resource(s)
Please list the resources as a list, for example:
Terraform Configuration Files
Debug Output
The salient bit is the groups list API call:
Panic Output
N/A
Expected Behavior
x-goog-user-project
header should have been set to the quota project specified in the Application Default Credential and/or relevant environment variables.Actual Behavior
The header is not sent. The API call returns a 403 and the following error message is rendered:
Steps to Reproduce
customer_id
attribute of the provider accordingly.gcloud auth application-default login
. Ensure you include "https://www.googleapis.com/auth/admin.directory.group" or "https://www.googleapis.com/auth/admin.directory.group.readonly" in the scopes.gcloud auth application-default set-quota-project foo
or by exportingGOOGLE_CLOUD_QUOTA_PROJECT=foo
.terraform plan
.Important Factoids
The issue does not reproduce if using Service Account credentials. You can also reproduce this issue by setting the
access_token
provider attribute to the result ofgcloud auth application-default print-access-token
.References
None