we setup Dynamic Provider Credentials and GCP Workflow Identity Federation in Terraform Cloud. This works perfectly fine for terraform runs triggered from the Terraform Cloud UI (manually or automatically), google provider authenticates and impersonates service account no problem.
However when we trigger a remote plan run from CLI (terraform plan) the google provider fails because it cannot find credentials.
Is there any local configuration I need to apply or the dynamic provider credentials are not supported from remote plans?
The full error is shown below:
Preparing the remote plan…
To view this run in a browser, visit:
https://app.terraform.io/app/REDACTED 1
Waiting for the plan to start…
Terraform v1.5.2
on linux_amd64
Initializing plugins and modules…
╷
│ Error: Attempted to load application default credentials since neither credentials nor access_token was set in the provider block. No credentials loaded. To use your gcloud credentials, run ‘gcloud auth application-default login’
│
│ with provider[“Terraform Registry”],
│ on line 0:
│ (source code not available)
│
│ google: could not find default credentials. See
│ Set up Application Default Credentials | Authentication | Google Cloud for more
│ information
╵
╷
│ Error: Invalid provider configuration
│
│ Provider “Terraform Registry” requires explicit
│ configuration. Add a provider block to the root module and configure the
│ provider’s required arguments as described in the provider documentation.
│