Support for Resource projects.location.oauthClient

[Aetherall]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

Context

I am setting up IAP with Workforce Identity, using the documentation available at: https://cloud.google.com/iap/docs/use-workforce-identity-federation

Problem

I cant seem to find a way to create the IAM OAuthClient, as specified:
https://cloud.google.com/iap/docs/use-workforce-identity-federation#create-oauth-client

Documentation shows an emphasis about the required OAuthClient being different from an IAP OAuthClient

Important: The OAuth client ID and secret that you create in the following steps are created for the Workforce Identity Federation infrastructure. These are different than the client ID and secret that are required when using the custom OAuth configuration to enable IAP with Google identities.

And indeed, when proceeding through, the resulting oauth client resides at:
projects/{projectId}/locations/global/oauthClients/{oauthClientName}
from command:
gcloud iam oauth-clients list --location global

This resource path differs from what I would expect regarding oauth clients I dealt with in the past,
which had paths containing iap, brand and proxy kewords

After searching through the gcloud terraform repositories, I could not find something that looked like that resource, but maybe I am wrong.

I noticed the apis to create those clients were available for a while now, so maybe I didnt look at the right place for the terraform implementations.

Thanks for reading me :)

New or Affected Resource(s)

Did not find any resource

Potential Terraform Configuration

No response

References

No response

b/378507880

[SarahFrench]

Note from triage: We cannot find a suitable API endpoint to use for this with the provider. If you, or the service team, can link us to some API docs this request can be unblocked

[Aetherall]

I was able to automate the creation of this resource using the gcloud cli, and the api is available here https://cloud.google.com/iam/docs/reference/rest/v1/projects.locations.oauthClients

( I had to dig up for a bit to find it though )

This api contains the required methods to manage clients:

As well as the methods to manage credentials:

Would be awesome to get support for that :)
Thanks for the work !

[SarahFrench]

Thank you! This issue has been forwarded to the relevant team & now with a link to the correct API endpoint it can also be picked up by other contributors too.

[Aetherall]

Awesome !

I would also like to add that in order to achieve IAP with Workforce Federation, the IAM Client creation requires 2 calls: 1 create + 1 update

1: create the client with a placeholder redirectUri
gcloud iam oauth-clients create

2: retrieve the client ID from that newly created oauth client
gcloud iam oauth-clients describe

3: compose a redirect url using the clientId
https://iap.googleapis.com/v1/oauth/clientIds/$CLIENT_ID:handleRedirect

4: update the client with the redirect uri
gcloud iam oauth-clients update

It would be awesome if the integration would allow to declaratively support this procedure
I can provide the script I used if it can help, don't hesitate to mention me
Thanks !

[plus-1s]

Note: this issue is not resolved and pending adding an another resource: IAM OAuth Client Credential in GoogleCloudPlatform/magic-modules#13231. Will keep you posted.