Skip to content
This repository has been archived by the owner on Jun 27, 2021. It is now read-only.

Error creating group: googleapi: Error 403: Request had insufficient authentication scopes. #148

Closed
schostin opened this issue Jun 30, 2020 · 4 comments
Closed

Error creating group: googleapi: Error 403: Request had insufficient authentication scopes. #148

schostin opened this issue Jun 30, 2020 · 4 comments
Labels
question Further information is requested wontfix This will not be worked on

Comments

@schostin
Copy link

I am trying to simply create the 2 required user groups for Google's Cloud Foundation Toolkit bootstrap module. Therefore I am using my own organization-admin credentials (So I logged in with gcloud auth login and afterwards running gcloud auth application-default login). When I try to run the following simple code:

terraform {
  required_version = "0.12.28"
  required_providers {
    gsuite = "0.1.52"
  }
}

provider "gsuite" {
  impersonated_user_email = var.impersonated_user_email
  oauth_scopes = [
    "https://www.googleapis.com/auth/admin.directory.group",
    "https://www.googleapis.com/auth/admin.directory.user"
  ]
}

resource "gsuite_group" "organization_admins" {
  email       = "organization-admins@${var.domain}"
  name        = "organization-admins"
  description = "Organization Admins"
}

resource "gsuite_group" "billing_admins" {
  email       = "billing-admins@${var.domain}"
  name        = "billing-admins"
  description = "Billing admins"
}

I get the error:

Error: [ERROR] Error creating group: googleapi: Error 403: Request had insufficient authentication scopes.
More details:
Reason: insufficientPermissions, Message: Insufficient Permission


  on main.tf line 16, in resource "gsuite_group" "organization_admins":
  16: resource "gsuite_group" "organization_admins" {



Error: [ERROR] Error creating group: googleapi: Error 403: Request had insufficient authentication scopes.
More details:
Reason: insufficientPermissions, Message: Insufficient Permission


  on main.tf line 22, in resource "gsuite_group" "billing_admins":
  22: resource "gsuite_group" "billing_admins" {

I did not try to run as a service-account since this is a chicken-egg problem. I want to setup the initial seed-project automatically and therefore I do not have a project where I could create a service account... Any hint what I am doing wrong or If my personal user needs something else apart from being "Organization Admin"?
@DeviaVir DeviaVir added the question Further information is requested label Jun 30, 2020
@DeviaVir
Copy link
Owner

DeviaVir commented Jul 2, 2020

Can you try dropping both impersonated_user_email and oauth_scopes? Those are fields tied to when using a service account.

@stale
Copy link

stale bot commented Aug 31, 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Aug 31, 2020
@stale stale bot closed this as completed Sep 7, 2020
@natalysheinin
Copy link
Contributor

Same error here

@dlethin
Copy link

dlethin commented Jun 9, 2021

I'm experiencing this same issue

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question Further information is requested wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DeviaVir @dlethin @natalysheinin @schostin