Control Using google_users/google_user Resource Causing Authentication Failure in Subsequent Controls

[jnikles1]

Describe the problem

We have 3 controls, which we'll call control_a , control_b, and control_c. control_a and control_b both make use of the google_project_logging_audit_config resource, while control_c uses the google_users and google_user resources. We are running into some authentication issues when control_a and control_b are executed after control_c. We included these 3 controls in a single file to test the execution cases. All cases were executed in separate runs of inspec exec:

Case 1: control order - control_a, control_b, control_c
result: all controls worked as expected

Case 2: control order - control_a, control_c, control_b
result: all controls worked as expected

Case 3: control order - control_c, control_a, control_b
result: both control_a and control_b fail with the following error message:
Request had insufficient authentication scopes.

We are now aware that our service account does not have the proper scopes needed to use the google_users/google_user resources, but this led us to discover that a failure in authorizations for google_users/google_user causes an authentication issue in subsequent controls using google_project_logging_audit_config that would typically run without error.

Expected behavior: when google_users/google_user run into authentication errors, it should fail gracefully and not affect the subsequent controls

Possible Solution

Implement authentication failure exception handling for google_users/google_user