Terraform - GCP - connect: connection refused

0
votes

Last week, everything were ok. But today when I run again terraform apply, I have the following error for all my ressources:

Error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=PROJECTID": dial tcp SOMEIPTHATCANTSHARE:443: connect: connection refused

I have to:

  • Create BigQuery Datasets and tables.

  • Create buckets

I try "gcloud auth login" and "gcloud auth application-default login"

I have to following messages:

UserWarning: Your application has authenticated using end user credentials from Google Cloud SDK without a quota project. You might receive a "quota exceeded" or "API not enabled" error. We recommend you rerun \gcloud auth application-default login` and make sure a quota project is added. Or you can use service accounts instead. For more information about service accounts, see[https://cloud.google.com/docs/authentication/](https://cloud.google.com/docs/authentication/).. warnings.warn(_CLOUD_SDK_CREDENTIALS_WARNING)`

Cannot add the project "A PROJECT FROM ANOTHER GOOGLE CLOUD ACCOUNT" to ADC as the quota project because the account in ADC does not have the "serviceusage.services.use" permission on this project. You might receive a "quota_exceeded" or "API not enabled" error. Run $ gcloud auth application-default set-quota-project to add a quota project.```
2
google-cloud-platformterraformgcloud

2 Answers

2
votes

Unless you're very familiar with Google Application Default credentails and quotas, the error's really not helpful.

Google discourages the use of end-user credentials (in this case what you're using with gcloud auth list) for application default credentials. The facility exists, of course, but it should only be used sparingly.

I'm unclear on all the reasons why, but a significant one is that the application_default_credentials.json file that is created has permissions that match your end-user account and is a bearer token; anyone else that gets it, can act as if they were you(r account).

Whenever you're running software this way, it's strongly preferred to create a service account with the necessary permissions.

It's unclear from your question whether you prefer to use the Cloud Console or Cloud SDK (aka gcloud).

You will need to:

  1. Create a service account (e.g. Console)
  2. Grant it permissions sufficient (e.g. Console):
  • BigQuery create datasets|tables (perhaps roles/bigquery.dataEditor?);
  • Cloud Storage create buckets (perhaps roles/storage.admin?)
  1. Optional*
  • Create a key for the service account
  • export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
  1. Run the terraform script again

Optional* -- if you run the script from e.g. Compute Engine, you do not need to create a key as you can use the VM's own service account. See Authenticating as a service account

2
votes

This answer compliments @DazWilkin's answer.

Your application has authenticated using end user credentials from Google Cloud SDK without a quota project

This warning message means you are using Google User Credentials (Gmail, Workplace, etc.) and not a service account to access Google Cloud APIs. Since you are using user credentials, Google Cloud does not know how to manage the various quotas as a default project is not set. These quotas are project specific.

To set the quota project:

gcloud auth application-default set-quota-project PROJECT_ID

PROJECT_ID is the project for which quotas will be checked and permission granted/denied.

Note: prior to running the set-quota-project command, the application default credentials must be initialized.

gcloud auth application-default login