Solve Gcloud Terraform authentication issues
In this blog, I want to show an issue we encountered at a customer while working with Google Cloud and Terraform. We discovered that the Google SDK is having two different active logins. That is not completely clear at first sight.
User is not authorized
To start with the issue we had. We are working with a team of people working on a terraform project to be able to provision our Google Cloud environment. A colleague created a nice terraform configuration that I wanted to test and play with.
Before starting to add things to the configuration I wanted to check if the configuration file still reflects the Google Cloud infrastructure so I ran:
$ terraform plan
This resulted in the following error:
Refreshing Terraform state in-memory prior to plan... The refreshed state will be used to calculate this plan, but will not be persisted to local or remote state storage. google_project.proj: Refreshing state... (ID: project-x-1) Error refreshing state: 1 error(s) occurred: * google_project.proj: 1 error(s) occurred: * google_project.proj: google_project.proj: Error reading Project "project-x-1": googleapi: Error 403: User is not authorized., forbidden
Damn, let's see if I could reproduce the error with the gcloud SDK commands.
$ gcloud projects list PROJECT_ID NAME PROJECT_NUMBER project-x-1 Project x 123456789012
$ gcloud projects describe project-x-1 createTime: '2017-08-04T12:43:01.088Z' lifecycleState: ACTIVE name: Project x parent: id: '12345677889' type: organization projectId: project-x-1 projectNumber: '123456789012'
That's weird: I'm able to see the project with the gcloud SDK, but not with terraform.
After a while a colleague found this in the Google Cloud console:
That's strange, I don't want to use my GoDataDriven account for the customer stuff.
Let's check my authentication:
$ gcloud auth list Credentialed Accounts ACTIVE ACCOUNT * <customer_google_account_here> To set the active account, run: $ gcloud config set account `ACCOUNT`
That seems to be correct. But let's check logout and login again.
$ gcloud auth revoke Revoked credentials: - <customer_google_account_here> $ gcloud auth login Your browser has been opened to visit: https://accounts.google.com/o/oauth2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&prompt=select_account... WARNING: `gcloud auth login` no longer writes application default credentials. If you need to use ADC, see: gcloud auth application-default --help You are now logged in as [<customer_google_account_here>]. Your current project is [None]. You can change this setting by running: $ gcloud config set project PROJECT_ID
Wait a second, what is that WARNING??
There appear to be two different authentication sessions, the
gcloud auth and
gcloud auth application-default.
The gcloud commandline used the first, terraform uses the second.
After revoking the application-default session and login again with the correct account the sky was blue again.
$ gcloud auth application-default revoke You are about to revoke the credentials stored in: [/Users/rvanweverwi jk/.config/gcloud/application_default_credentials.json] Do you want to continue (Y/n)? y Credentials revoked.
$ gcloud auth application-default login Your browser has been opened to visit: https://accounts.google.com/o/oauth2/auth?redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&prompt=select_account... Credentials saved to file: [/Users/rvanweverwijk/.config/gcloud/application_default_credentials.json] These credentials will be used by any library that requests Application Default Credentials.
GoDataDriven open source contribution: December 2017 edition
January 09, 2018
Post-Christmas Coding, December 28
December 13, 2017
GDD @ NIPS 2017
December 12, 2017
Spark packages from a password protected Repository
December 11, 2017
GoDataDriven open source contribution: November 2017 edition
November 30, 2017
How to Decorate Your Scikit-learn Models Like a Christmas Tree
November 22, 2017