Identity Platform requires undefined permissions

[dantheperson]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.9.4
on linux_amd64

• provider registry.terraform.io/hashicorp/google v5.40.0
• provider registry.terraform.io/hashicorp/google-beta v5.40.0

Affected Resource(s)

google_identity_platform_config

Terraform Configuration

resource "google_identity_platform_config" "default" {
  project = var.project_id
  autodelete_anonymous_users = false
  sign_in {
    allow_duplicate_emails = false
    email {
      enabled = true
      password_required = true
    }
  }
  mfa {
    state = "ENABLED"
    provider_configs {
      state = "ENABLED"
      totp_provider_config {
        adjacent_intervals = 5
      }
    }
  }
  authorized_domains = [
    var.dns_name,
    var.dns_name_cb
  ]
  depends_on = [
    google_project_service.identitytoolkit
  ]
}

Debug Output

No response

Expected Behavior

terraform apply should work

Actual Behavior

Generic permissions error

google_identity_platform_config.default: Creating...
╷
│ Error: Error creating Config: googleapi: Error 403: INSUFFICIENT_PERMISSION
│ 
│   with google_identity_platform_config.default,
│   on google_identitytoolkit.tf line 11, in resource "google_identity_platform_config" "default":
│   11: resource "google_identity_platform_config" "default" {

Steps to reproduce

1. terraform apply

Important Factoids

The account has the following roles

• Firebase Authentication Admin
• Identity Toolkit Admin
• Identity Platform Admin

Which permissions are needed? Surely a role with these two should be sufficient?

• firebaseauth.*
• identitytoolkit.*

References

No response

b/359930084

[dantheperson]

From the debug output it's failing on initializeAuth, and from the APi docs that needs firebaseauth.configs.create, and so a user with just Identity Platform Admin role should be able to run this.

https://cloud.google.com/identity-platform/docs/reference/rest/v2/projects.identityPlatform/initializeAuth#path-parameters

debug output:

2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: ---[ REQUEST ]---------------------------------------
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: POST /v2/projects/<redacted>/identityPlatform:initializeAuth?alt=json HTTP/1.1
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Host: identitytoolkit.googleapis.com
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: User-Agent: Terraform/1.9.4 (+https://www.terraform.io) Terraform-Plugin-SDK/2.33.0 terraform-provider-google/5.40.0
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Content-Length: 0
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Content-Type: application/json
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Goog-User-Project: xm-integration
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Accept-Encoding: gzip
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5
2024-08-13T22:16:29.235+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: -----------------------------------------------------
2024-08-13T22:16:30.493+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: 2024/08/13 22:16:30 [DEBUG] Google API Response Details:
2024-08-13T22:16:30.493+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: ---[ RESPONSE ]--------------------------------------
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: HTTP/2.0 403 Forbidden
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Cache-Control: no-cache, no-store, max-age=0, must-revalidate
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Content-Type: application/json; charset=UTF-8
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Date: Tue, 13 Aug 2024 10:16:30 GMT
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Expires: Mon, 01 Jan 1990 00:00:00 GMT
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Pragma: no-cache
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Server: ESF
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Vary: Origin
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Vary: X-Origin
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Vary: Referer
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Content-Type-Options: nosniff
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Frame-Options: SAMEORIGIN
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Xss-Protection: 0
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: {
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5:   "error": {
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5:     "code": 403,
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5:     "message": "INSUFFICIENT_PERMISSION",
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5:     "status": "PERMISSION_DENIED"
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5:   }
2024-08-13T22:16:30.494+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: }

[dantheperson]

When i run terraform as Owner on the project, the same rest call succeeds, so it seems the API docs are inaccurate when they say that firebaseauth.configs.create is needed, there must be other permissions needed too.

2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: 2024/08/13 23:04:49 [DEBUG] Google API Request Details:
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: ---[ REQUEST ]---------------------------------------
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: POST /v2/projects/redacted/identityPlatform:initializeAuth?alt=json HTTP/1.1
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Host: identitytoolkit.googleapis.com
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: User-Agent: Terraform/1.9.4 (+https://www.terraform.io) Terraform-Plugin-SDK/2.33.0 terraform-provider-google/5.40.0
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Content-Length: 0
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Content-Type: application/json
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Goog-User-Project: xm-integration
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Accept-Encoding: gzip
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5
2024-08-13T23:04:49.907+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: -----------------------------------------------------
2024-08-13T23:04:53.880+1200 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/google\"] (close)" is waiting for "google_secret_manager_secret_version.identity_web_auth_domains-version"
2024-08-13T23:04:53.880+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_api_key-version (expand)" is waiting for "google_identity_platform_config.default"
2024-08-13T23:04:53.880+1200 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/google\"] (close)"
2024-08-13T23:04:53.880+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_api_key-version" is waiting for "google_secret_manager_secret_version.identity_web_api_key-version (expand)"
2024-08-13T23:04:53.880+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_auth_domains-version" is waiting for "google_secret_manager_secret_version.identity_web_auth_domains-version (expand)"
2024-08-13T23:04:53.880+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_auth_domains-version (expand)" is waiting for "google_identity_platform_config.default"
2024-08-13T23:04:58.883+1200 [TRACE] dag/walk: vertex "root" is waiting for "provider[\"registry.terraform.io/hashicorp/google\"] (close)"
2024-08-13T23:04:58.883+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_api_key-version (expand)" is waiting for "google_identity_platform_config.default"
2024-08-13T23:04:58.883+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_api_key-version" is waiting for "google_secret_manager_secret_version.identity_web_api_key-version (expand)"
2024-08-13T23:04:58.883+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_auth_domains-version (expand)" is waiting for "google_identity_platform_config.default"
2024-08-13T23:04:58.883+1200 [TRACE] dag/walk: vertex "provider[\"registry.terraform.io/hashicorp/google\"] (close)" is waiting for "google_secret_manager_secret_version.identity_web_auth_domains-version"
2024-08-13T23:04:58.883+1200 [TRACE] dag/walk: vertex "google_secret_manager_secret_version.identity_web_auth_domains-version" is waiting for "google_secret_manager_secret_version.identity_web_auth_domains-version (expand)"
google_identity_platform_config.default: Still creating... [10s elapsed]
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: 2024/08/13 23:05:01 [DEBUG] Google API Response Details:
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: ---[ RESPONSE ]--------------------------------------
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: HTTP/2.0 200 OK
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Cache-Control: no-cache, no-store, max-age=0, must-revalidate
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Content-Type: application/json; charset=UTF-8
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Date: Tue, 13 Aug 2024 11:05:01 GMT
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Expires: Mon, 01 Jan 1990 00:00:00 GMT
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Pragma: no-cache
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Server: ESF
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Vary: Origin
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Vary: X-Origin
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: Vary: Referer
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Content-Type-Options: nosniff
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Frame-Options: SAMEORIGIN
2024-08-13T23:05:01.717+1200 [DEBUG] provider.terraform-provider-google_v5.40.0_x5: X-Xss-Protection: 0

[ggtisc]

It is not possible to reproduce for me since I'm using a user with all privileges and after a terraform apply everything was successful without errors.

There isn't information in terraform registry or API documentation about which are the required permissions and the shared error messages just say INSUFFICIENT_PERMISSION

Maybe a more descriptive error message showing which are the required permissions could help users to configure their IAM roles

[dantheperson]

Hi, the API docs here show that the required permission for intiAuth is firebaseauth.configs.create, while the role Identity Platform Admin has firebaseauth.*

I've also checked with IAM Policy Troubleshooter, and it confirms the account has firebaseauth.configs.create on the project resource. I wasn't quite sure what resource to check the permission against.

The permissions you linked to are not referring to the IAM permissions required to call the Identity Platform API, rather they are domain objects within the API, that is permissions that identity platform users will have, not IAM users.

[rainshen49]

Did you include enabling the API?

https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/guides/google_project_service

resource "google_project_service" "identitytoolkit" {
  project = var.project_id
  service = "identitytoolkit.googleapis.com"
}

[dantheperson]

Yes I have that block to enable the API.

[rainshen49]

@dantheperson
Given that the same call succeeds when running as yourself, can you include the other relevant parts of your Terraform config? Assuming you are using a service account to run Terraform who ran into this error:

1. How is that service account created (inside Terraform, outside Terraform, from another project)?
2. How is permission granted to that service account (inside Terraform, outside Terraform)?

[Youssef93]

I had the same issue. Then I gave the service account role "editor" & that fixed it.

[dantheperson]

Hi
No we're using personal user accounts to apply changes. The user accounts are created manually via admin.google.com and added to google groups. In GCP IAM the Google Group principal is assigned the "Identity Platform Admin" role.
The account that does work is assigned "Owner" role directly to the Google Account principal in GCP IAM UI.

I think the only other relevant TF config is the enabling of the required APIs.

resource "google_project_service" "identitytoolkit" {
  project = var.project_id
  service = "identitytoolkit.googleapis.com"
}

resource "google_project_service" "cloudresourcemanager" {
  project = var.project_id
  service = "cloudresourcemanager.googleapis.com"
}

I would rather not give everyone Editor access (or access to a service account that has Editor access)

[rainshen49]

@dantheperson Does the Google Group only have Identity Platform Admin role? Try adding Service Usage Consumer (allows the user to call APIs) and Viewer (allows the user to see the project) roles.

If this still doesn't work, I'm afraid you'll need to go through Firebase support and supply your project identifiers for a detailed look.