Terraform not detecting the right project when modifying GCP Org Policy

[jado06]

Terraform Version

Terraform v1.8.2

Terraform Configuration Files

# Disable the Disable Service Account Key Creation policy for the project
resource "google_org_policy_policy" "disableServiceAccountKeyCreation" {
  name   = "projects/${var.project_id}/policies/iam.disableServiceAccountKeyCreation"
  parent = "projects/${var.project_id}"

  spec {
    inherit_from_parent = false
    rules {
      enforce = "FALSE"
      }
    }
}

Debug Output

Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│   {
│     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│     "domain": "googleapis.com",
│     "metadata": {
│       "consumer": "projects/7640********",
│       "service": "orgpolicy.googleapis.com"
│     },
│     "reason": "SERVICE_DISABLED"
│   }
│ ]

Expected Behavior

Using Terraform in my local terminal, I'm trying to disable the Disable Service Account Key Creation policy for a specific project and stop it from inheriting the policy from the parent organization.

Actual Behavior

What I noticed from the error message is that the project number from projects/7640******** does not match my project number. I also noticed that it's pulling that number from the first portions of the client_id in the application_default_credentials.json file.

Steps to Reproduce

1. gcloud auth login $USER
2. gcloud auth application-default login $USER
3. gcloud auth application-default set-quota-project $PROJECT
4. terraform init
5. terraform apply

Additional Context

• The Org Policy API is already enabled on this project.
• The authenticated user does have the required Org Policy Admin role.

Did I stumble into a bug? Seems like someone from Google reported the same issue back in February but it was not fixed.

References

• Should check gcloud project Id when fetching ADCs golang/oauth2#702

[jbardin]

Hello,

This appears to be an issue or question with the Goole provider, not with Terraform itself. You can see existing issues and file a new one in their repository here: https://github.com/hashicorp/terraform-provider-google/issues. If you have questions about Terraform or the Google provider, it's better to use the community forum where there are more people ready to help. The GitHub issues here are monitored only by a few core maintainers.

Thanks!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.