OauthIDPConfig throws RPC error even though quota project is set

aaron-tillekeratne commented 3 weeks ago

Describe what happened

When using pulumi_gcp.identityplatform.OauthIdpConfig() class, the underlying API causes a rpc error.

Sample program

"""A Google Cloud Python Pulumi program"""

import pulumi
import pulumi_gcp as gcp

iap_service = gcp.projects.Service("iap-service", service="iap.googleapis.com")
service_usage = gcp.projects.Service("serviceusage-service", service="serviceusage.googleapis.com")
cloud_rm = gcp.projects.Service("cloudrm-service", service="cloudresourcemanager.googleapis.com")

identity_toolkit = gcp.projects.Service("idp-service", service="identitytoolkit.googleapis.com")
oidc_provider = gcp.identityplatform.OauthIdpConfig(
    "microsoft",
    name="oidc.foobar",
    client_id="foo",
    issuer="foo",
    client_secret="foo"
    , opts=pulumi.ResourceOptions(depends_on=[identity_toolkit]),
)

Log output

Diagnostics: gcp:identityplatform:OauthIdpConfig (foobar): error: 1 error occurred:

Error creating OauthIdpConfig: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The identitytoolkit.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds . Details: [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com", "metadata": { "consumer": "projects/764086051850", "service": "identitytoolkit.googleapis.com" }, "reason": "SERVICE_DISABLED" } ]

pulumi:pulumi:Stack (infra-dev): error: update failed

Affected Resource(s)

No response

Output of `pulumi about`

CLI
Version 3.122.0 Go Version go1.22.4 Go Compiler gc

Plugins KIND NAME VERSION resource gcp 7.30.1 language python unknown

Host
OS debian Version 11.9 Arch x86_64

This project is written in python: executable='/workspaces/sample_app/infra/venv/bin/python' version='3.11.9'

Current Stack: organization/infra/dev

TYPE URN pulumi:pulumi:Stack urn:pulumi:dev::infra::pulumi:pulumi:Stack::infra-dev pulumi:providers:gcp urn:pulumi:dev::infra::pulumi:providers:gcp::default_7_30_1 gcp:projects/service:Service urn:pulumi:dev::infra::gcp:projects/service:Service::serviceusage-service gcp:projects/service:Service urn:pulumi:dev::infra::gcp:projects/service:Service::iap-service gcp:iap/brand:Brand urn:pulumi:dev::infra::gcp:iap/brand:Brand::brand gcp:projects/service:Service urn:pulumi:dev::infra::gcp:projects/service:Service::cloudrm-service gcp:projects/service:Service urn:pulumi:dev::infra::gcp:projects/service:Service::idp-service gcp:appengine/application:Application urn:pulumi:dev::infra::gcp:appengine/application:Application::app

Found no pending operations associated with dev

Backend
Name 663c28915b8c URL file://~ User vscode Organizations
Token type personal

Dependencies: NAME VERSION pip 24.1.2 pulumi_gcp 7.30.1 setuptools 70.2.0 wheel 0.43.0

Pulumi locates its logs in /tmp by default

Additional context

So seems to have some issue with terraform underneath too; I haven't looked too much into this, but the rpc error references a gcp project which seems to be common with others. Example https://github.com/hashicorp/terraform-provider-google/issues/14972.

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

VenelinMartinov commented 2 weeks ago

Hey @aaron-tillekeratne, thanks for reporting here and sorry you had trouble with this.

How are you setting the quota project? From the TF issue you linked it seems to be a problem with application default credentials, so perhaps you can try setting the quota project as an env var or explicitly on the resource to work around the issue?

aaron-tillekeratne commented 2 weeks ago

Hey @VenelinMartinov , thanks for the response.

I set the quota project using gcloud application-default set-quota-project foobar . The environment variable method does work.

However, It doesn't seem to correctly create the resource; it doesn't correctly populate the name, grant type seems to be set to id_token but no option to change that to code flow.

oidc_provider = gcp.identityplatform.OauthIdpConfig(
    "foobar",
    name="oidc.foobar",
    client_id="foo",
    issuer="www.foobar.com/foobar/baz/qux",
    client_secret="foo"
    , opts=pulumi.ResourceOptions(depends_on=[identity_toolkit]),
)

in Console:

VenelinMartinov commented 2 weeks ago

Hi @aaron-tillekeratne, glad the environment variable worked. For your issue with the grant type parameter, unfortunately, it seems like that is not handled well in the terraform provider and pulumi inherits the behaviour from there: https://github.com/hashicorp/terraform-provider-google/issues/9385

Seems like setting the grant type is not currently possible in the provider.

The docs suggest that setting the secret should trigger the code flow grant type but that might not be the case from the reports and looking at the code for this resource in the tf provider, I don't see anywhere where the grant type is handled: https://github.com/hashicorp/terraform-provider-google/blob/main/google/services/identityplatform/resource_identity_platform_oauth_idp_config.go

That means you'd need some other method for controlling that - you'd might want to create it in the console or you can try using the GCP API directly to work around this issue: https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects.oauthIdpConfigs#OAuthIdpConfig

If you do decide to use the GCP API directly you could also use dynamic resource providers in pulumi to wrap the API calls into something which fits the pulumi resource model.

Raised https://github.com/pulumi/pulumi-gcp/issues/2181 for the grant type issue

aaron-tillekeratne commented 2 weeks ago

Ok thanks. I'll look into the API.

pulumi / pulumi-gcp