Terragrunt: GOOGLE_CREDENTIALS no more since Terragrunt 0.19.6

Created on 11 Jul 2019  路  12Comments  路  Source: gruntwork-io/terragrunt

Hi,

We use the GOOGLE_CREDENTIALS to store the content of the credentials (not the file path)
It worked with previous version of terragrunt, but since the Terragrunt 0.19.6 it doesn't work anymore.

if we use a GOOGLE_APPLICATION_CREDENTIALS var with the file path it works, but we don't want to store the information on the CI/CD runner.

We use a simple remote state with GCS

remote_state {
  backend = "gcs"
  config = {
    bucket         = "mybucket"
    prefix         = "myprefix/with/folders"
  }
}
help wanted question
Source
picture fhusson
👍1

Most helpful comment

Hi, thanks for the response, can we have a backward compatible version with GOOGLE_CREDENTIALS ?

picture fhusson on 15 Jul 2019
👍3

All 12 comments

@robmorgan @autero1 Could you help out with this one?

brikis98 picture brikis98 on 11 Jul 2019

This is because the new GCS Remote State feature creates a GCP Client only using the default ADC behaviour whereas the Google Terraform Provider has additional behaviour for obtaining credentials before falling back to ADC.

GOOGLE_CREDENTIALS is one of the additional environment variables that the Google Terraform Provider supports, but is not part of ADC.

I also encountered this issue on my CI/CD pipeline.

Also, as a side effect of this new GCS Remote storage feature, the GCP credentials for provided to Terragrunt/Terraform now requires additional storage.buckets.get permission on the GCS bucket. I understand that this "auto-create" feature can be disabled by setting disable_init to false, but this also prevents the backend from being init. Is there way to only disable the check for the GCS bucket existence while still allowing the backend to be init?

lawliet89 picture lawliet89 on 12 Jul 2019

Hi, thanks for the response, can we have a backward compatible version with GOOGLE_CREDENTIALS ?

fhusson picture fhusson on 15 Jul 2019
👍3

Any update on this issue?

eyalzek picture eyalzek on 11 Oct 2019

hi @fhusson, @eyalzek it would be great if you could help test my PR: https://github.com/gruntwork-io/terragrunt/pull/907. Just checkout the branch and build a custom version of terragrunt: go build -o terragrunt . && ./terragrunt. Then try setting the GOOGLE_CREDENTIALS environment variable.

robmorgan picture robmorgan on 11 Oct 2019

@robmorgan I'm seeing the same error: Missing required GCS remote state configuration project.

eyalzek picture eyalzek on 12 Oct 2019

hi @eyalzek, can you share your remote_state definition? I'm assuming you built the version in my branch mirror-terraform-gcp-auth?

robmorgan picture robmorgan on 14 Oct 2019

We have used a workarround with gitlab ci/cd we have set the GOOGLE_APPLICATION_CREDENTIALS as a file variable, that way the file is only temporary on the runner.
I can try to check the patch in 2 weeks.

fhusson picture fhusson on 15 Oct 2019

@fhusson roger.

robmorgan picture robmorgan on 15 Oct 2019

Going to reopen until we have confirmation that the latest patch (released as https://github.com/gruntwork-io/terragrunt/releases/tag/v0.20.5) is working.

yorinasub17 picture yorinasub17 on 18 Oct 2019

Okay

robmorgan picture robmorgan on 21 Oct 2019

Closing this out due to inactivity. Please open a new issue if anyone still experiences problems.

yorinasub17 picture yorinasub17 on 21 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

goseeped picture goseeped  路  3Comments
zachwhaley picture zachwhaley  路  3Comments
skang0601 picture skang0601  路  4Comments
dmlemos picture dmlemos  路  3Comments
mpkerr picture mpkerr  路  3Comments