Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't specify support_email with google_iap_brand resource #6104

Closed
pierrefevrier opened this issue Apr 13, 2020 · 4 comments
Closed

Can't specify support_email with google_iap_brand resource #6104

pierrefevrier opened this issue Apr 13, 2020 · 4 comments
Assignees
@venkykuberan
Labels
bug

Comments

@pierrefevrier
Copy link

Hi,

I'm trying to use the google_iap_brand but always got the following error: Error: Error creating Brand: googleapi: Error 400: Support email is not allowed: [email protected].

I'm executing Terraform with a gcp project specific service account.

I tried several email address and groups but nothing works.
I'm asking my-self whether the only way to make it works is to run Terraform with the user that correspond to the email I set on support_email ?

Thanks for your help.
@venkykuberan venkykuberan self-assigned this Apr 13, 2020
@venkykuberan
Copy link
Contributor

@pierrefevrier can you try your google group email (of your org) for support_email attrubute and see if the error goes away.

@slevenick
Copy link
Collaborator

Hey @pierrefevrier

Wanted to chime in with some extra information on the support_email field.

You are onto something: https://cloud.google.com/iap/docs/programmatic-oauth-clients the support_email field has restrictions as follows:

The support email displayed on the OAuth consent screen. This email address can either be a user's address or a Google Groups alias. While service accounts also have an email address, they are not actual valid email addresses, and cannot be used when creating a brand. However, a service account can be the owner of a Google Group. Either create a new Google Group or configure an existing group and set the desired service account as an owner of the group.

Generally terraform runs as a service account, so the easiest way to have the service account own the support_email address would be to have the service account be an owner of a Google Group.

Alternatively you could run terraform as the user that owns the support email, but I haven't tested this and it could be difficult if you have other infrastructure in your terraform config

@pierrefevrier
Copy link
Author

Thank you @venkykuberan and @slevenick.
By adding the service account as owner of the Cloud Identity group I want to use the email address to use as support_email, it works !

@ghost ghost removed the waiting-response label Apr 14, 2020
@ghost
Copy link

ghost commented May 15, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!

@ghost ghost locked and limited conversation to collaborators May 15, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@venkykuberan venkykuberan

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pierrefevrier @slevenick @venkykuberan