hashicorp · modular-magician · Oct 7, 2020 · Oct 7, 2020
diff --git a/.changelog/4058.txt b/.changelog/4058.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+iam: fixed `google_service_account_id_token` datasource to work with User ADCs and Impersonated Credentials
+```
diff --git a/google/data_source_google_service_account_id_token.go b/google/data_source_google_service_account_id_token.go
@@ -74,10 +74,8 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
 		return fmt.Errorf("error calling getCredentials(): %v", err)
 	}
 
-	ts := creds.TokenSource
-
-	// If the source token is just an access_token, all we can do is use the iamcredentials api to get an id_token
-	if _, ok := ts.(staticTokenSource); ok {
+	// If the source credential is not a service account key, use the API to generate the idToken
+	if creds.JSON == nil {
 		// Use
 		// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
 		service := config.NewIamCredentialsClient(userAgent)
@@ -100,15 +98,6 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
 		return nil
 	}
 
-	tok, err := ts.Token()
-	if err != nil {
-		return fmt.Errorf("unable to get Token() from tokenSource: %v", err)
-	}
-
-	// only user-credential TokenSources have refreshTokens
-	if tok.RefreshToken != "" {
-		return fmt.Errorf("unsupported Credential Type supplied.  Use serviceAccount credentials")
-	}
 	ctx := context.Background()
 	co := []option.ClientOption{}
 	if creds.JSON != nil {

diff --git a/google/provider_test.go b/google/provider_test.go
@@ -855,6 +855,10 @@ func getTestProjectFromEnv() string {
 
 // testAccPreCheck ensures at least one of the credentials env variables is set.
 func getTestCredsFromEnv() string {
+	// Return empty string if GOOGLE_USE_DEFAULT_CREDENTIALS is set to true.
+	if multiEnvSearch(credsEnvVars) == "true" {
+		return ""
+	}
 	return multiEnvSearch(credsEnvVars)
 }
 

diff --git a/...le_service_account_id_token.html.markdown → .../d/service_account_id_token.html.markdown b/...le_service_account_id_token.html.markdown → .../d/service_account_id_token.html.markdown
@@ -28,7 +28,7 @@ For more information see
   ```
 
 ## Example Usage - Service Account Impersonation.
-  `google_service_account_access_token` will use background impersonated credentials provided by [google_service_account_access_token](https://www.terraform.io/docs/providers/google/d/datasource_google_service_account_access_token.html).
+  `google_service_account_access_token` will use background impersonated credentials provided by [google_service_account_access_token](https://www.terraform.io/docs/providers/google/d/service_account_access_token.html).
 
   Note: to use the following, you must grant `target_service_account` the
   `roles/iam.serviceAccountTokenCreator` role on itself.

diff --git a/website/google.erb b/website/google.erb
@@ -730,10 +730,6 @@
           <a href="/docs/providers/google/d/client_openid_userinfo.html">google_client_openid_userinfo</a>
           </li>
 
-          <li>
-          <a href="/docs/providers/google/d/datasource_google_service_account_id_token.html">google_service_account_id_token</a>
-          </li>
-
           <li>
           <a href="/docs/providers/google/d/folder.html">google_folder</a>
           </li>
@@ -782,6 +778,10 @@
           <a href="/docs/providers/google/d/service_account_access_token.html">google_service_account_access_token</a>
           </li>
 
+          <li>
+          <a href="/docs/providers/google/d/service_account_id_token.html">google_service_account_id_token</a>
+          </li>
+
           <li>
           <a href="/docs/providers/google/d/service_account_key.html">google_service_account_key</a>
           </li>