mikepietruszka · May 5, 2022 18:46
diff --git a/apikeys.tf b/apikeys.tf
 /*
 // If you get this error, ensure that your $GOOGLE_APPLICATION_DEFAULTS env
 variable is set to a Service Account. Regular cloud identities are not
 allowed to hit apikeys.googleapis.com because in the eyes of Google, API keys
 are insecure compared to OAuth2 tokens.

 │ Error: Error creating Key: failed to create a diff: failed to retrieve Key
 | resource: googleapi: Error 403: Your application has authenticated using
 | end user credentials from the Google Cloud SDK or Google Cloud Shell which
 | are not supported by the apikeys.googleapis.com. We recommend configuring
 | the billing/quota_project setting in gcloud or using a service account
 | through the auth/impersonate_service_account setting. For more information
 | about service accounts and how to use them in your application, see
 | https://cloud.google.com/docs/authentication/. If you are getting this error
 | with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP
 | header for quota and billing purposes. For more information regarding
 | 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
 │ Details:
 │ [
 │   {
 │     "@type": "type.googleapis.com/google.rpc.ErrorInfo",
 │     "domain": "googleapis.com",
 │     "metadata": {
 │       "consumer": "projects/0123456789",
 │       "service": "apikeys.googleapis.com"
 │     },
 │     "reason": "SERVICE_DISABLED"
 │   }
 │ ]
 │ 
 │   with google_apikeys_key.api_key,
 │   on main.tf line 165, in resource "google_apikeys_key" "api_key":
 │  165: resource "google_apikeys_key" "api_key" {
 │ 
 ╵
 */
 resource "google_apikeys_key" "api_key" {
  name         = "api-key-name"
  display_name = "api-key-display-name"
  project      = var.project_id

  restrictions {
    # Restrict to specific Google API service
    api_targets {
      service = google_api_gateway_api.api.managed_service 
      methods = ["GET*"]
    }
    # Set referrer URL
    browser_key_restrictions {
      allowed_referrers = ["goatherding.club"]
    }
  }
 }
	/*
	// If you get this error, ensure that your $GOOGLE_APPLICATION_DEFAULTS env
	variable is set to a Service Account. Regular cloud identities are not
	allowed to hit apikeys.googleapis.com because in the eyes of Google, API keys
	are insecure compared to OAuth2 tokens.

	│ Error: Error creating Key: failed to create a diff: failed to retrieve Key
	\| resource: googleapi: Error 403: Your application has authenticated using
	\| end user credentials from the Google Cloud SDK or Google Cloud Shell which
	\| are not supported by the apikeys.googleapis.com. We recommend configuring
	\| the billing/quota_project setting in gcloud or using a service account
	\| through the auth/impersonate_service_account setting. For more information
	\| about service accounts and how to use them in your application, see
	\| https://cloud.google.com/docs/authentication/. If you are getting this error
	\| with curl or similar tools, you may need to specify 'X-Goog-User-Project' HTTP
	\| header for quota and billing purposes. For more information regarding
	\| 'X-Goog-User-Project' header, please check https://cloud.google.com/apis/docs/system-parameters.
	│ Details:
	│ [
	│ {
	│ "@type": "type.googleapis.com/google.rpc.ErrorInfo",
	│ "domain": "googleapis.com",
	│ "metadata": {
	│ "consumer": "projects/0123456789",
	│ "service": "apikeys.googleapis.com"
	│ },
	│ "reason": "SERVICE_DISABLED"
	│ }
	│ ]
	│
	│ with google_apikeys_key.api_key,
	│ on main.tf line 165, in resource "google_apikeys_key" "api_key":
	│ 165: resource "google_apikeys_key" "api_key" {
	│
	╵
	*/
	resource "google_apikeys_key" "api_key" {
	name = "api-key-name"
	display_name = "api-key-display-name"
	project = var.project_id

	restrictions {
	# Restrict to specific Google API service
	api_targets {
	service = google_api_gateway_api.api.managed_service
	methods = ["GET*"]
	}
	# Set referrer URL
	browser_key_restrictions {
	allowed_referrers = ["goatherding.club"]
	}
	}
	}