Hey @TemporarilyOffline, there's not much debugging I can do remotely without debug logs, but when I'm setting up terraform I usually create a new service account at https://console.cloud.google.com/iam-admin/serviceaccounts/project and make sure it has the permissions I want, and download a private key from that which I use as my credentials file. If you run with debug logs on (TF_LOG=DEBUG terraform apply) you can look for this line:

2017/08/18 18:52:56 [INFO] Requesting Google token...
2017/08/18 18:52:56 [INFO]   -- Email: [email here]

and check that the email there matches what you expect. I'd also confirm the spelling of the project name and whatnot. Let me know if that helps!

I used the guide provided at https://www.terraform.io/docs/providers/google/index.html. That is the email account that shows up in the debug output.

Spelling of project name is correct, see above, you have my complete *.tf library there.

Debug log attached.
out.txt

Does it work if you create a new service account and use that one instead?

• created a new account named "terraform-access"
• downloaded the new JSON file
• updated terraform to use new creds
• ran TF_LOG=DEBUG terraform apply

I see the updated email token in the debug output, but the rest is the same.

Assuming you've given the new service account the correct IAM permissions, I'm at a loss. Can you pop into the #terraform channel in the GCP slack? (https://gcp-slack.appspot.com/) Maybe having some more eyes on the problem will help :)

Am also facing the same issue, any help is much appreciated

Hey @sandygvs, it's likely not a Terraform issue but I'm happy to help you debug. Can you post debug logs? Have you tried using these credentials in a non-terraform setting (just to make sure it's a Terraform issue and not something else)?

Most likely this is a Terraform documentation issue, credentials = "${file("../.google/credentials.json")}" only works with service account keys

The documentation says:

credentials - (Optional) Contents of the JSON file used to describe your account credentials, downloaded from Google Cloud Console. More details on retrieving this file are below

(bolding mine)

But this should be Service account credential keys and the page is more confusing by suggesting gcloud auth application-default login which will will create an oauth json file that lacks a private key.

The application-default login will work without a credentials = line, but the json file only will contain the following lines.

{
  "client_id": "<snip>.apps.googleusercontent.com",
  "client_secret": "<snip>",
  "refresh_token": "<snip>",
  "type": "authorized_user"
}

While the JSON credentials that will work with a service account, created through (API & Services -> Credentials -> Create credentials -> Service account key) will have

{
  "type": "service_account",
  "project_id": "<snip>",
  "private_key_id": "<snip>",
  "private_key": "-----BEGIN PRIVATE KEY-----
  <snip>
   \n",
  "client_email": "terraform-test-account@<snip>.iam.gserviceaccount.com",
  "client_id": "<snip>",
  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
  "token_uri": "https://accounts.google.com/o/oauth2/token",
  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/terraform-test-account%<snip>iam.gserviceaccount.com"
}

Ideally terraform would complain the second it doesn't see a "client_email" entry, or if the credentials line is intended to work with application-default credentials there is a regression. My Go abilities are too basic to suggest a specific fix at this time but both models will probably need to be supported.

I ran into the same issue but it turned out to be a permissions issue with my json file. I had made it overly restrictive and once I set it to Compute Engine default service account everything worked properly.

I ran into the same issue but it turned out to be a permissions issue with my json file. I had made it overly restrictive and once I set it to Compute Engine default service account everything worked properly.

That was the solution for as well; I encountered a similar problem. Where does the fault lie here? In GCP IAM or Terraform? Because we should be creating our own service accounts instead of using the default.

Guys, a "solution" which will most likely work for you all:

2081

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!