diff --git a/.changelog/4058.txt b/.changelog/4058.txt
new file mode 100644
index 00000000000..543c0f2cb38
--- /dev/null
+++ b/.changelog/4058.txt
@@ -0,0 +1,3 @@
+```release-note:enhancement
+iam: fixed `google_service_account_id_token` datasource to work with User ADCs and Impersonated Credentials
+```
diff --git a/google/data_source_google_service_account_id_token.go b/google/data_source_google_service_account_id_token.go
index ef374a31768..6c1563a1b27 100644
--- a/google/data_source_google_service_account_id_token.go
+++ b/google/data_source_google_service_account_id_token.go
@@ -74,10 +74,8 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
return fmt.Errorf("error calling getCredentials(): %v", err)
}
- ts := creds.TokenSource
-
- // If the source token is just an access_token, all we can do is use the iamcredentials api to get an id_token
- if _, ok := ts.(staticTokenSource); ok {
+ // If the source credential is not a service account key, use the API to generate the idToken
+ if creds.JSON == nil {
// Use
// https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/generateIdToken
service := config.NewIamCredentialsClient(userAgent)
@@ -100,15 +98,6 @@ func dataSourceGoogleServiceAccountIdTokenRead(d *schema.ResourceData, meta inte
return nil
}
- tok, err := ts.Token()
- if err != nil {
- return fmt.Errorf("unable to get Token() from tokenSource: %v", err)
- }
-
- // only user-credential TokenSources have refreshTokens
- if tok.RefreshToken != "" {
- return fmt.Errorf("unsupported Credential Type supplied. Use serviceAccount credentials")
- }
ctx := context.Background()
co := []option.ClientOption{}
if creds.JSON != nil {
diff --git a/google/provider_test.go b/google/provider_test.go
index e4dff53dd23..e09c6383e04 100644
--- a/google/provider_test.go
+++ b/google/provider_test.go
@@ -855,6 +855,10 @@ func getTestProjectFromEnv() string {
// testAccPreCheck ensures at least one of the credentials env variables is set.
func getTestCredsFromEnv() string {
+ // Return empty string if GOOGLE_USE_DEFAULT_CREDENTIALS is set to true.
+ if multiEnvSearch(credsEnvVars) == "true" {
+ return ""
+ }
return multiEnvSearch(credsEnvVars)
}
diff --git a/website/docs/d/datasource_google_service_account_id_token.html.markdown b/website/docs/d/service_account_id_token.html.markdown
similarity index 96%
rename from website/docs/d/datasource_google_service_account_id_token.html.markdown
rename to website/docs/d/service_account_id_token.html.markdown
index 81b91ccb970..339b4896b19 100644
--- a/website/docs/d/datasource_google_service_account_id_token.html.markdown
+++ b/website/docs/d/service_account_id_token.html.markdown
@@ -28,7 +28,7 @@ For more information see
```
## Example Usage - Service Account Impersonation.
- `google_service_account_access_token` will use background impersonated credentials provided by [google_service_account_access_token](https://www.terraform.io/docs/providers/google/d/datasource_google_service_account_access_token.html).
+ `google_service_account_access_token` will use background impersonated credentials provided by [google_service_account_access_token](https://www.terraform.io/docs/providers/google/d/service_account_access_token.html).
Note: to use the following, you must grant `target_service_account` the
`roles/iam.serviceAccountTokenCreator` role on itself.
diff --git a/website/google.erb b/website/google.erb
index 26f2f9f685e..f93ea96d778 100644
--- a/website/google.erb
+++ b/website/google.erb
@@ -730,10 +730,6 @@
google_client_openid_userinfo
-
- google_service_account_id_token
-
-
google_folder
@@ -782,6 +778,10 @@
google_service_account_access_token
+
+ google_service_account_id_token
+
+
google_service_account_key