Terraform/GCP - "the user does not have permission to access Project"

Question

Problem

Executing the simple Terraform script causes the error. The script was simply copied from the documentation.

• Terraform GCP data source google_project

data "google_project" "project" {
}

output "project_number" {
  value = data.google_project.project.number
}

$ terraform apply
╷
│ Error: the user does not have permission to access Project "positive-theme-323611" or it may not exist
│ 
│   with data.google_project.project,
│   on gcp.tf line 1, in data "google_project" "project":
│    1: data "google_project" "project" {

However, the same user can use gcloud command to get the information of the project.

$ gcloud projects describe "positive-theme-323611"
createTime: '2021-08-21T11:08:56.469Z'
lifecycleState: ACTIVE
name: My First Project
projectId: positive-theme-323611
projectNumber: '412177242019'

Setting the TF_LOG environment variable shows the 403 for the API call at the Terraform execution.

---[ REQUEST ]---------------------------------------
GET /v1/projects/positive-theme-323611?alt=json&prettyPrint=false HTTP/1.1
Host: cloudresourcemanager.googleapis.com
User-Agent: google-api-go-client/0.5 Terraform/1.0.4 (+https://www.terraform.io) Terraform-Plugin-SDK/2.5.0 terraform-provider-google/dev
X-Goog-Api-Client: gl-go/1.16.2 gdcl/20211201
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2022-01-11T14:46:00.935+1100
2022-01-11T14:46:01.535+1100 [INFO]  provider.terraform-provider-google_v4.6.0_x5: 2022/01/11 14:46:01 [DEBUG] Google API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 403 Forbidden
Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
Cache-Control: private
Content-Type: application/json; charset=UTF-8
Date: Tue, 11 Jan 2022 03:46:01 GMT
Server: ESF
Server-Timing: gfet4t7; dur=280
Vary: Origin
Vary: X-Origin
Vary: Referer
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 0

{
  "error": {
    "code": 403,
    "message": "The caller does not have permission",
    "errors": [
      {
        "message": "The caller does not have permission",
        "domain": "global",
        "reason": "forbidden"
      }
    ],
    "status": "PERMISSION_DENIED"
  }
}

Question

Why Terraform fails while the gcloud command succeeds? Does Terraform uses different mechanism to get credential to authenticate with GCP than gcloud command?

Please help understand what causes the differences, and if there is a way to make it work when gcloud command works.

Fix for the problem

By running the command below, Terraform works, but still not sure why. Obviously gcloud command does not use the credential which the command has created, as it was working before running the command.

They which credential in where does gcloud using? Why Terraform did not use it? Please help understand.

gcloud auth application-default login command.

$ terraform apply
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Outputs:

project_number = "412177242019"

Answer 1

According to Terraform's DOC, you do need to run gcloud ... login. So terraform can connect to your GCP project.

The command gcloud projects describe "positive-theme-323611" works because it creates a "temp" session login. On the other hand, the command gcloud auth application-default login creates and keeps a session and because of that you are able to run terraform.

First, authenticate with GCP. The easiest way to do this is to run gcloud auth application-default login, if you already have gcloud installed. If you don't already have it, you can install it from here.

But you don't need to run it every time, you can create a service account and export its content to an environment variable, take a look at adding credentials. With that var exported, you don't need to run gcloud login, terraform will use the var's content.