diff --git a/.changelog/8195.txt b/.changelog/8195.txt new file mode 100644 index 0000000000..62423e83f5 --- /dev/null +++ b/.changelog/8195.txt @@ -0,0 +1,3 @@ +```release-note:enhancement +resourcemanager: fixed handling of `google_service_account_id_token` when authenticated with GCE metadata credentials +``` diff --git a/google-beta/services/resourcemanager/data_source_google_service_account_id_token.go b/google-beta/services/resourcemanager/data_source_google_service_account_id_token.go index 1f440e310c..8c4f82822e 100644 --- a/google-beta/services/resourcemanager/data_source_google_service_account_id_token.go +++ b/google-beta/services/resourcemanager/data_source_google_service_account_id_token.go @@ -79,12 +79,13 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte return fmt.Errorf("error calling getCredentials(): %v", err) } - // If the source credential is not a service account key, use the API to generate the idToken - if creds.JSON == nil { + targetServiceAccount := d.Get("target_service_account").(string) + // If a target service account is provided, use the API to generate the idToken + if targetServiceAccount != "" { // Use // https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken service := config.NewIamCredentialsClient(userAgent) - name := fmt.Sprintf("projects/-/serviceAccounts/%s", d.Get("target_service_account").(string)) + name := fmt.Sprintf("projects/-/serviceAccounts/%s", targetServiceAccount) tokenRequest := &iamcredentials.GenerateIdTokenRequest{ Audience: targetAudience, IncludeEmail: d.Get("include_email").(bool), @@ -95,7 +96,7 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte return fmt.Errorf("error calling iamcredentials.GenerateIdToken: %v", err) } - d.SetId(d.Get("target_service_account").(string)) + d.SetId(targetServiceAccount) if err := d.Set("id_token", at.Token); err != nil { return fmt.Errorf("Error setting id_token: %s", err) }