Terraform not detecting the correct Project ID when modifying Org Policy

[jado06]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version

Terraform v1.8.2

Affected Resource(s)

google_org_policy_policy

Terraform Configuration

# Disable the Disable Service Account Key Creation policy for the project
resource "google_org_policy_policy" "disableServiceAccountKeyCreation" {
  name   = "projects/${var.project_id}/policies/iam.disableServiceAccountKeyCreation"
  parent = "projects/${var.project_id}"

  spec {
    inherit_from_parent = false
    rules {
      enforce = "FALSE"
      }
    }
}

Debug Output

Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/7640********",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]

Expected Behavior

Using Terraform in my local terminal, I'm trying to disable the Disable Service Account Key Creation policy for a specific project and stop it from inheriting the policy from the parent organization.

Actual Behavior

What I noticed from the error message is that the project number from projects/7640******** does not match my project number. I also noticed that it's pulling that number from the first portions of the client_id in the application_default_credentials.json file.

Steps to reproduce

1. gcloud auth login $USER
2. gcloud auth application-default login $USER
3. gcloud auth application-default set-quota-project $PROJECT
4. terraform init
5. terraform apply

Important Factoids

• The Org Policy API is already enabled on this project.
• The authenticated user does have the required Org Policy Admin role.

Did I stumble into a bug? Seems like someone from Google reported the same issue back in February but it was not fixed.

References

• Should check gcloud project Id when fetching ADCs golang/oauth2#702

[ggtisc]

Hi @jado06!

As I'm checking in this and the other references it is more troubleshooting than a bug issue. Your own code was replicated successfully without errors. I suggest you to check your permissions and environment variables as the other users commented and something that is more important is to read the error message that describes the next:

Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. **The orgpolicy.googleapis.com API requires a quota project, which is not set by default.** To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds

It basically says that you need to check the quota of this service in your account configurations, because it is a service which is not set by default, and finally it gives you a link to learn how to fix it.

[jado06]

I'm not sure how you were able to replicate my code without errors, however, that link you mentioned says to use:
gcloud auth application-default set-quota-project $PROJECT in order to fix the error, which as you can see from Step 3, in my reproduction steps, is already done.

Another thing to mention is that the error message clearly shows orgpolicy.googleapis.com being detected as SERVICE_DISABLED (with a project number? that is not mine). This is despite:

1. The quota being already set using the above gcloud command
2. the API being already enabled on my project.

---

After doing some research on the credentials files for ADC, I noticed that the incorrect project number from the error "consumer": "projects/7640********" was actually a number in my ADC credentials file:

{
  "account": "[email protected]",
  "client_id": "7640********-******************************.apps.googleusercontent.com",
  "client_secret": "******************************",
  "quota_project_id": "jad-*******",
  "refresh_token": "******************************",
  "type": "authorized_user",
  "universe_domain": "googleapis.com"
}

I'm not certain on how Terraform does this behind the scenes, but my theory is that it is potentially pulling the project ID from the wrong line, which is why we're seeing the number from the client_id being pulled, instead of the project ID from quota_project_id.

[ggtisc]

Yes, in some point of your terraform config you have something related to the authentication that is causing issues, because with the most basic code after a terraform apply everything were created successfully without errors. I suggest you to check your project config, because is a common case that devs configure many auth mechanisms and then it creates these conflicts. So ensure you have only one project associated with this resource(google_org_policy_policy). You could create a separate project where you only have the google_org_policy_policy with only 1 auth mechanism to identify what is causing this issue.

This is the terraform code used to replicate this scenario:

resource "google_org_policy_policy" "org_policy_policy_17998" {
  name   = "projects/**my-project**/policies/iam.disableServiceAccountKeyCreation"
  parent = "projects/**my-project**"

  spec {
    inherit_from_parent = false
    rules {
      enforce = "FALSE"
      }
    }
}

[jado06]

Thanks, I'll try to replicate again sometime in the next week and get back to you with the results.

[zebo3k]

Did this work? i have the same issue

[jado06]

@zebo3k Yes, I did end up finding a solution! Thanks for reminding me to post it.

Since part of my terraform code involved providing the user with the org admin role (roles/orgpolicy.policyAdmin), before applying the policy changes. It turns out that the reason behind the error is propagation delay, I needed to add a 120 second delay after assigning the role before it succeeded. I tried to reduce the time, but it wouldn't play nice with anything under 120 seconds. -_-

(This also explains why @ggtisc did not run into the same issue, likely because they already had the role, and didn't need to wait for it to propagate)

[ggtisc]

Thanks for your answer @jado06

[flamein]

How do we explain that my error shows EXACTLY the same project number? I'm not associated with @jado06 in any way, so why would my error be pointing to the exact same project?

│ Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/764086051850",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]

I also provided myself with Organisation Policy Administrator access, but no luck there

[YancyGodoy]

I happen to have the same exact error:

│Error: Error creating Policy: googleapi: Error 403: Your application is authenticating by using local Application Default │Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your │quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/764086051850",
│ "service": "orgpolicy.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]

Role and project quota already assigned.

[birmingham]

I encountered a similar orgpolicy.googleapis.com 403 error with the same "consumer": "projects/7640********", "service": "SERVICE_DISABLED" output. I was deploying org policy custom constraints. https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/org_policy_custom_constraint
I had all the necessary roles on my IAM account. My solution was to add a provider block directly into the org policy custom constraints terraform. The billing_project and user_project_override entries were the key to getting rid of the 403 error.

#####################
provider "google" {
project = var.project_id
region = var.region
billing_project = "CHANGE_ME_PROJECT_ID"
user_project_override = true
}
#####################

[birmingham]

@YancyGodoy @flamein see my previous post.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.