[SOLVED] pulumi up is not using the defined quota project to apply changes

pulumi up is not using the defined quota project to apply changes

Using pulumi to define a SecurityProfile in GCP (org-level object), I have:

    const globalSecurityPolicy = new gcp.networksecurity.SecurityProfile(
      'default-sp',
      {
        name: `${args.name}-sp`,
        parent: parentOrg,
        location: args.region,
        labels,
        description: '...description...',
        type: args.type ?? 'THREAT_PREVENTION',
      },
      { parent: this }
    );

When trying to pulumi up I run into:

gcp:networksecurity:SecurityProfile (default-sp): error: sdk-v2/provider2.go:572: sdk.helper_schema: 
Error creating SecurityProfile: googleapi: Error 403: Your application is authenticating by using local Application Default Credentials. 
The networksecurity.googleapis.com API requires a quota project, which is not set by default.
To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds.
Details: [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com", 
"metadata": { "consumer": "projects/764086051850", "service": "networksecurity.googleapis.com" }, "reason": "SERVICE_DISABLED" },
{ "@type": "type.googleapis.com/google.rpc.LocalizedMessage", "locale": "en-US", 
"message": "Your application is authenticating by using local Application Default Credentials. The networksecurity.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds ." } ]:
 provider=google-beta@8.38.0 error: 1 error occurred: * Error creating SecurityProfile: googleapi:
Error 403: Your application is authenticating by using local Application Default Credentials.
The networksecurity.googleapis.com API requires a quota project, which is not set by default. To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds . Details: [ { "@type": "type.googleapis.com/google.rpc.ErrorInfo", "domain": "googleapis.com", "metadata": { "consumer": "projects/764086051850", "service": "networksecurity.googleapis.com" }, "reason": "SERVICE_DISABLED" }, { "@type": "type.googleapis.com/google.rpc.LocalizedMessage", "locale": "en-US", "message": "Your application is authenticating by using local Application Default Credentials. The networksecurity.googleapis.com API requires a quota project, which is not set by default.
To learn how to set your quota project, see https://cloud.google.com/docs/authentication/adc-troubleshooting/user-creds ." } ]

Per the referenced docs, I tried (unsuccessfully):

confirmed that the APIs in question were enabled in the project specified by gcloud config set billing/quota_project
ran gcloud auth application-default set-quota-project YOUR_PROJECT, and
ran gcloud config set billing/quota_project YOUR_PROJECT, none of which helped.

Solution

In the end (TYVM to Google support for suggesting this) an export GOOGLE_CLOUD_QUOTA_PROJECT=<project_ID> was the ticket to get the correct project to be used.

NOTE: at first use, I was getting [different] permission errors, but that was a quirk of how we use various projects internally.