Using Terraform in my local terminal, I’ve been trying to disable the Disable Service Account Key Creation policy for a specific project and stop it from inheriting the policy from the parent organization.
<code># Disable the Disable Service Account Key Creation policy for the project
resource "google_org_policy_policy" "disableServiceAccountKeyCreation" {
name = "projects/${var.project_id}/policies/iam.disableServiceAccountKeyCreation"
parent = "projects/${var.project_id}"
spec {
inherit_from_parent = false
rules {
enforce = "FALSE"
}
}
}
</code>
<code># Disable the Disable Service Account Key Creation policy for the project
resource "google_org_policy_policy" "disableServiceAccountKeyCreation" {
name = "projects/${var.project_id}/policies/iam.disableServiceAccountKeyCreation"
parent = "projects/${var.project_id}"
spec {
inherit_from_parent = false
rules {
enforce = "FALSE"
}
}
}
</code>
# Disable the Disable Service Account Key Creation policy for the project
resource "google_org_policy_policy" "disableServiceAccountKeyCreation" {
name = "projects/${var.project_id}/policies/iam.disableServiceAccountKeyCreation"
parent = "projects/${var.project_id}"
spec {
inherit_from_parent = false
rules {
enforce = "FALSE"
}
}
}
However I keep running into this error:
<code>Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/7640********",
│ "service": "orgpolicy.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
</code>
<code>Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/7640********",
│ "service": "orgpolicy.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
</code>
Error: Error creating Policy: failed to create a diff: failed to retrieve Policy resource: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. The orgpolicy.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds .
│ Details:
│ [
│ {
│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
│ "domain": "googleapis.com",
│ "metadata": {
│ "consumer": "projects/7640********",
│ "service": "orgpolicy.googleapis.com"
│ },
│ "reason": "SERVICE_DISABLED"
│ }
│ ]
The thing is:
- I did use
gcloud auth application-default loginto authenticate. - I did set the quota project, despite it already being set.
- The
Org Policy APIis already enabled on this project.
What I noticed is that the project number from projects/7640******** does not match my project number. I also noticed that it’s pulling that number from the first portions of the client_id in the application_default_credentials.json file.
How do I fix this? Did I stumble into a bug? Seems like someone from Google reported the same issue back in Feb but no response on that thread.