Terraform GCP Error – Could not find default credentials
This post captures a couple of errors you might encounter getting started with terraform and GCP.
Typical Steps to getting started
Are you going to be performing actions on GCP using a Service account or using your human user credentials?
Say you took the latter approach and created a custom service account for use with your project (and granted the SA a Project Owner or Editor role) - and downloaded the JSON key. You would think you are all set to execute Terraform against the project defined in the JSON key, since the service account is the 'owner' on the project.
You would be wrong.
You would encounter this error on your terraform init
Error: google: could not find default credentials.
for more information.
on line 0:
(source code not available)
What's the issue?
This credentials that terraform is complaining about are NOT the Service account credentials (which you've already granted ownership of the project to - and which you have since downloaded and placed in an accessible JSON file, such as 'credentials.json').
The credentials that Terraform is complaining about are the HUMAN IDENTITY (Cloud IAM User) that you INTERACT with GCP via. That is - this is the default gmail (gSuite) or Cloud Identity that terraform is looking for.
- Basically, the human user is the identity that needs access to a resource (the service account).
- Access to the PROJECT. Here, the identity is your service account which has Project Level Editor or Owner. Treating this SA as a 'resource', you simply grant the human user the 'UseServiceAccount' role on this resource.
- The Human User is what logs on to GCP (via gcloud or via cloud shell). To get this human user access to GCP, one needs the Cloud SDK (see below).
The Quick Fix
is to install Google Cloud SDK on your development desktop. On windows, just open up a powershell prompt and use this:
(New-Object Net.WebClient).DownloadFile("https://dl.google.com/dl/cloudsdk/channels/rapid/GoogleCloudSDKInstaller.exe", "$env:Temp\GoogleCloudSDKInstaller.exe") & $env:Temp\GoogleCloudSDKInstaller.exe
Once installed, run the following gcloud
commands
gcloud init --> THis will prompt you to use an existing gmail account or a different one gcloud auth application-default login
This command will generate an ADC (Application Default Credentials) JSON file based on your user (IAM user) account and store it in a location where the SDK can find it automatically.
You should also receive a 'security alert' email from google -
Google Auth Library was granted access to your Google Account [email protected]
What if you need to switch your gmail identities ? Or to do this from another PC?
You need this command to re-prompt a login. This will allow you to switch gmail identites. gcloud auth application-default login
Another possible error - 'Callers must accept terms of service...'
When you try to create a new project (gcloud create project myproject),
gcloud projects create myprojectname
you may encounter this error. This is true if the gSuite account is one which HASN'T created any projects in the past.
The Quick Fix - for callers must accept terms of service..
Log into the console with the same gSuite account and create a project by selecting 'select a project' (and 'Create a Project'). This will prompt the terms of service agreement and you may carry on after agreeing to the terms of service.
That's it. Those are two of the more common errors that GCP and Terraform users encounter when getting started.
Happy Terraforming!
Some Roles your gmail identity may need on GCP for successfully creating Terraform Resources
- iam.serviceAccounts.actAs permission for your project - e.g. 'projects/my-awesome-project'
- If you plan to use the default compute engine SA, you would need to be granted the role - serviceAccountUser for that SA. Ask a project owner to grant you the iam.serviceAccountUser role on the service account
- If you will be creating your own SAs and assigning roles to them,
- resourcemanager.projects.getIamPolicy on the my-awesome-project
- resourcemanager.projects.setIamPolicy on the same project
- iam.roles.list - on the same project.
Leave a Reply