Credentials issue - BQ data transfer config

andras · May 5, 2022, 2:58pm

I would like to use the google_bigquery_data_transfer_config resource to create Google Ads BigQuery Data Transfers.

I am running into a credentials issue - running the setup from the command line would need to go through an authorisation pop-up and that’s the bit that I couldn’t solve with the service account permission.

This is the error I am receiving:
Error: Error creating Config: googleapi: Error 400: Failed to find a valid credential. The request to create a transfer config is supposed to contain an authorization code.

And this is my terraform - any help would be appreciated:

# provider - gcp
terraform {
  required_providers {
    google = {
      source = "hashicorp/google"
      version = "4.20.0"
    }
  }
}

provider "google" {
  project = var.project
  region = var.region
}

data "google_project" "gcp_project" {
}

# permissions
resource "google_project_iam_member" "permissions" {
  project = var.project
  role = "roles/iam.serviceAccountShortTermTokenMinter"
  member = "serviceAccount:service-${data.google_project.gcp_project.number}@gcp-sa-bigquerydatatransfer.iam.gserviceaccount.com"
}

# services
resource "google_project_service" "bigquerydatatransfer_googleapis_com" {
  project = var.project
  service = "bigquerydatatransfer.googleapis.com"
}

# Google Ads data transfer
resource "google_bigquery_dataset" "google_ads_dataset" {
  depends_on = [google_project_iam_member.permissions]

  dataset_id = "google_ads"
  delete_contents_on_destroy = false
  location = var.region
  project = var.project
  description = "Raw Google Ads data exported via Data Transfer"
}

resource "google_bigquery_data_transfer_config" "google_ads_transfer" {
  depends_on = [google_project_iam_member.permissions]

  display_name = "Google Ads Transfer"
  data_source_id = "adwords"
  location = var.region
  destination_dataset_id = google_bigquery_dataset.google_ads_dataset.dataset_id
  schedule = "every day at 01:00"
  params = {
    customer_id = var.customer_id
    exclude_removed_items = true
  }
}

AX99 · June 22, 2022, 12:44pm

The principal used to create the data transfers does not have access to the Google Ads data.
You can add the principal as a user through Google Ads. This should get you past the errors when you run it again.
This won’t work for service accounts as Google Ads adds users by sending an invite email which the service account wouldn’t get

Topic		Replies	Views
BigQuery DataTransfer is not enabled for doubleclick_search Terraform	1	18	January 10, 2025
Issue with google_bigquery_dataset in Terraform state Google	1	17	January 10, 2025
Authorize views in bigquery using terraform script - Facing error Google	4	831	January 9, 2023
Using terraform google provider Can the same user account be provided with the bigquery.DataViewer and bigquery.JobUser roles Google	1	107	September 30, 2024
GCP problem with google logging billing account sink resource Google	2	1492	August 5, 2020

Credentials issue - BQ data transfer config

Related topics