Deploy data_catalog resources with user credentials

[dsbrambila]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment. If the issue is assigned to the "modular-magician" user, it is either in the process of being autogenerated, or is planned to be autogenerated soon. If the issue is assigned to a user, that user is claiming responsibility for the issue. If the issue is assigned to "hashibot", a community member has claimed the issue already.

Description

Resources within google_data_catalog* can only be deployed if the user is logged in via a service account. Security wise this is not an ideal behavior, since it implies saving the service account credentials in the local-machine. Ideally, users should be able to deploy using only the users credentials, which has more security layers in it, e.g., 2FA.

Error message when trying to deploy data catalog resources using user credentials

Error: Error when reading or editing DataCatalogEntryGroup "projects/xx/locations/region/entryGroups/entry-group": googleapi: Error 403: Your application has authenticated using end user credentials from the Google Cloud SDK or Google Cloud Shell which are not supported by the datacatalog.googleapis.com. We recommend configuring the billing/quota_project setting in gcloud or using a service account through the auth/impersonate_service_account setting. For more information about service accounts and how to use them in your application, see https://cloud.google.com/docs/authentication/

Note: I am able to deploy data catalog resources using my user-credentials via gcloud.

New or Affected Resource(s)

• google_data_catalog_entry
• google_data_catalog_entry_group
• google_data_catalog_entry_group_iam
• google_data_catalog_policy_tag
• google_data_catalog_policy_tag_iam
• google_data_catalog_tag
• google_data_catalog_tag_template
• google_data_catalog_taxonomy
• google_data_catalog_taxonomy_iam

References

*#8600

b/359623036

[rileykarson]

Have you tried https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override? That makes user credentials compatible with most APIs.

You'll probably want to file an issue with the service here- the restriction comes from the API itself and adding the ability to configure the quota project is the best solution we've got clientside.

[RuggieroSanto-Reply]

Have you tried https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override? That makes user credentials compatible with most APIs.

You'll probably want to file an issue with the service here- the restriction comes from the API itself and adding the ability to configure the quota project is the best solution we've got clientside.

It worked for me.