Terraform: GCS backend GOOGLE_CREDENTIALS is a path or a JSON in terraform implementation

Created on 30 Nov 2017 · 5Comments · Source: hashicorp/terraform

Hello,

I'm using terraform v0.11.0 and I'm using gcs for the state backend.

When I set a JSON in GOOGLE_CREDENTIALS I end with the following error:

terraform plan
Failed to load backend: 
Error configuring the backend "gcs": storage.NewClient() failed: dialing: cannot read credentials file: open { "type": "service_account", "project_id": "[REDACTED]", "private_key_id": "[REDACTED]", "private_key": "-----BEGIN PRIVATE KEY-----\n[REDACTED]\n-----END PRIVATE KEY-----\n", "client_email": "[REDACTED]", "client_id": "[REDACTED]", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://accounts.google.com/o/oauth2/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/[REDACTED]" }: file name too long

Please update the configuration in your Terraform files to fix this error.
If you'd like to update the configuration interactively without storing
the values in your configuration, run "terraform init".

When I set GOOGLE_CREDENTIALS to the path of a file containing the credential JSON I have the following error:

terraform plan

Error: provider.google: credentials are not valid JSON '/gcp_credentials.json': invalid character '/' looking for beginning of value

I'm reproducing this error with the following main.tf:

terraform {
  backend "gcs" {
    path="state.tfstate"
  }
}

provider "google" {
  project     = "${var.gcp_project_name}"
  region      = "${var.gcp_region_name}"
  version = "= 1.1.1"
}

It looks like this code is loading credentials as a JSON: https://github.com/hashicorp/terraform/blob/v0.11.0/state/remote/gcs.go#L66

This one is loading credentials as a path: https://github.com/hashicorp/terraform/blob/v0.11.0/backend/remote-state/gcs/backend.go#L120

According to this file, default should be "Local path to Google Cloud Platform account credentials in JSON format." : https://github.com/hashicorp/terraform/blob/55089e472d579acd2c539e1720a96c389d546fa9/website/docs/backends/types/gcs.html.md#L53

backengcs bug

Source

👍1

Most helpful comment

Fixed via #16865

jbardin on 7 Dec 2017

❤2

All 5 comments

I managed to go around the issue by:

setting GOOGLE_CREDENTIALS to the credential JSON which is the previous behaviour of gcs in terraform 0.10.7. Other behaviour is a breaking change.
setting a credential file path in the backend configuration block as following

terraform {
  backend "gcs" {
    path="workspace-state.tfstate"
    credentials="/gcp_credentials.json"
  }
}

This is making terraform to go in the following condition https://github.com/hashicorp/terraform/blob/v0.11.0/backend/remote-state/gcs/backend.go#L118 , avoiding to get in the buggy condition line 120.

jp on 30 Nov 2017

Ran into this today as well. Confirmed it's still an issue in 0.11.1. I had to downgrade to 0.10.8 as a work-around since we are exclusively using env vars to manage credentials.

greendog99 on 30 Nov 2017

👍1

Looks like https://github.com/hashicorp/terraform/commit/14263223e7d1bf447fe2182428679ffff2c7a71a#diff-e3bcf3d9f45da0a86377540a29748923 is the problematic commit.

greendog99 on 4 Dec 2017

Fixed via #16865

jbardin on 7 Dec 2017

❤2

I'm going to lock this issue because it has been closed for _30 days_ ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.