As a non admin user can i use this provider?

[damaya]

Hi @DeviaVir I have tested the provider, and it works so good using admin credentials. Thanks for this.

However i have this question: Does this provider work if we use impersonated email without admin privileges, or do you have some workaround in progress, or we are limited by the same scope of the Google api itself?

Scenario

1. As a non admin user e.g [email protected] i am able to create groups from the Gsuite workspace https://groups.google.com/all-groups

2. As the same non admin user [email protected] i use the gcloud credentials and the plan works as expected, but i cannot import any of pre-existed groups, as it just through this provider i could not create/manage none of the gsuite resources i created before manually.

3. Taking point 1,2 i am using the provider like this, and as i said before, it worked perfect using an admin user, but in the second scenario, it did not,

provider "gsuite" {
    oauth_scopes = [
    "https://www.googleapis.com/auth/admin.directory.group",
    "https://www.googleapis.com/auth/apps.groups.settings",
  ]

  impersonated_user_email = var.impersonated_user_email
  credentials = var.gsuite_credentials
}

where impersonated_user_email is [email protected], and credentials is the path with json data i get when i authenticate with gcloud, example "/home/developerx/.config/gcloud/application_default_credentials.json"

4. Importing a pre existing Group:

Having this resource coded lilke:

resource "gsuite_group" "test" {
  email       = "[email protected]"
  name        = "Test"
}

And being sure the group already exists with mail "[email protected]" , i run the import command like

terraform import gsuite_group.test "[email protected]"

The error when importing a pre-existing group (which i can see from GCP account and from Gsuite workspace) is this:

Error: [ERROR] Error fetching group. Make sure the group exists: Get "https://admin.googleapis.com/admin/directory/v1/groups/test%40anydomain.com?alt=json&prettyPrint=false": private key should be a PEM or plain PKCS1 or PKCS8; parse error: asn1: syntax error: sequence truncated

[DeviaVir]

Are you sure var.gsuite_credentials is the JSON blob export of the service account key?

[damaya]

Hi @DeviaVir, yes i did, in fact all worked perfect for an admin user, but not for a non admin. Thanks so much for your response.

[damaya]

Hi @DeviaVir thanks again for your latest feedback and help, i have tried but seems if a user is not admin within the organization cannot e.g take or import existing groups even if is authenticated with same credentials used from web console, would you please give me more hints about this use cases or limits, maybe i can check and understanding this could make some contribution in the next future, thanks in advance.