Fix condition to fetch id token from API (#8195) (#5825)

Signed-off-by: Modular Magician <[email protected]>
hashicorp · Jun 28, 2023 · 00351e2 · 00351e2
1 parent 699167d
commit 00351e2
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/.changelog/8195.txt b/.changelog/8195.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+resourcemanager: fixed handling of `google_service_account_id_token` when authenticated with GCE metadata credentials
+```
diff --git a/google-beta/services/resourcemanager/data_source_google_service_account_id_token.go b/google-beta/services/resourcemanager/data_source_google_service_account_id_token.go
@@ -79,12 +79,13 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
 		return fmt.Errorf("error calling getCredentials(): %v", err)
 	}
 
-	// If the source credential is not a service account key, use the API to generate the idToken
-	if creds.JSON == nil {
+	targetServiceAccount := d.Get("target_service_account").(string)
+	// If a target service account is provided, use the API to generate the idToken
+	if targetServiceAccount != "" {
 		// Use
 		// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
 		service := config.NewIamCredentialsClient(userAgent)
-		name := fmt.Sprintf("projects/-/serviceAccounts/%s", d.Get("target_service_account").(string))
+		name := fmt.Sprintf("projects/-/serviceAccounts/%s", targetServiceAccount)
 		tokenRequest := &iamcredentials.GenerateIdTokenRequest{
 			Audience:     targetAudience,
 			IncludeEmail: d.Get("include_email").(bool),
@@ -95,7 +96,7 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
 			return fmt.Errorf("error calling iamcredentials.GenerateIdToken: %v", err)
 		}
 
-		d.SetId(d.Get("target_service_account").(string))
+		d.SetId(targetServiceAccount)
 		if err := d.Set("id_token", at.Token); err != nil {
 			return fmt.Errorf("Error setting id_token: %s", err)
 		}