Using pulumi to define a SecurityProfile in GCP (org-level object), I have:
const globalSecurityPolicy = new gcp.networksecurity.SecurityProfile(
'default-sp',
{
name: `${args.name}-sp`,
parent: parentOrg,
location: args.region,
labels,
description: '...description...',
type: args.type ?? 'THREAT_PREVENTION',
},
{ parent: this }
);
When trying to pulumi up
I run into:
gcp:networksecurity:SecurityProfile (default-sp): error: sdk-v2/provider2.go:572: sdk.helper_schema:
Error creating SecurityProfile: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials.
The networksecurity.googleapis.com API requires a quota project, which is not set by default.
To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds.
Details: [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com",
"metadata": { "consumer": "projects/764086051850", "service": "networksecurity.googleapis.com" }, "reason": "SERVICE_DISABLED" },
{ "@type": "type.googleapis.com/google.rpc.LocalizedMessage", "locale": "en-US",
"message": "Your application is authenticating by using local Application Default Credentials. The networksecurity.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds ." } ]:
provider=google-beta@8.38.0 error: 1 error occurred: * Error creating SecurityProfile: googleapi:
Error 403: Your application is authenticating by using local Application Default Credentials.
The networksecurity.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds . Details: [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com", "metadata": { "consumer": "projects/764086051850", "service": "networksecurity.googleapis.com" }, "reason": "SERVICE_DISABLED" }, { "@type": "type.googleapis.com/google.rpc.LocalizedMessage", "locale": "en-US", "message": "Your application is authenticating by using local Application Default Credentials. The networksecurity.googleapis.com API requires a quota project, which is not set by default.
To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds ." } ]
Per the referenced docs, I tried (unsuccessfully):
gcloud config set billing/quota_project
gcloud auth application-default set-quota-project YOUR_PROJECT
, andgcloud config set billing/quota_project YOUR_PROJECT
, none of which helped.In the end (TYVM to Google support for suggesting this) an export GOOGLE_CLOUD_QUOTA_PROJECT=<project_ID>
was the ticket to get the correct project to be used.
NOTE: at first use, I was getting [different] permission errors, but that was a quirk of how we use various projects internally.