TechQA.

GCP terraform-google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"

2.2k views Asked by At

Using GCP workload identity I am not able to provision a GKE cluster by terraform from Github action.

Here is my workflow file of the GitHub action:

    name: Infrastructure provisions
    jobs:
      provision_gkes:
        permissions:
          contents: 'read'
          id-token: 'write'
        runs-on: 'ubuntu-latest'
    
        steps:
        - name: Checkout
          uses: actions/checkout@v2
        
        - id: auth
          uses: google-github-actions/auth@v0
          with:
            workload_identity_provider: ${{ env.IDENTITY_PROVIDER }}
            service_account: ${{ env.SERVICE_ACCOUNT }}
        
        - name: Provision gke 
          working-directory: ./gke
          run: |-
            terraform init
            terraform plan --var-file=terraform_$ENVIRONMENT.tfvars -out my_plan
            terraform apply my_plan

Terraform main.tf


    terraform {
      required_providers {
        google = {
          source  = "hashicorp/google"
          version = "~> 3.43.0"
        }
        google-beta = {
          source  = "hashicorp/google-beta"
          version = "~> 3.43.0"
        }
      }
    }
    
    provider "google" {
      project = var.project
      region  = var.region
    }
    
    provider "google-beta" {
      project = var.project
      region  = var.region
    }
    
    module "gke_cluster" {
    
      name = var.cluster_name
    
      project  = var.project
      location = var.location
      network  = var.network
    // code goes on
    ...
    
    }
    
    
    resource "google_container_node_pool" "node_pool" {
      provider = google-beta
    
      name     = "private-pool"
      project  = var.project
      location = var.location
      cluster  = module.gke_cluster.name
    
    ...
    // code goes on
    }
    
    
    module "gke_service_account" {
      source = "./modules/gke-service-account"
    
      name        = var.cluster_service_account_name
      project     = var.project
      description = var.cluster_service_account_description
    }

Error received during the GitHub action execution.

╷
│ Error: Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: google: error getting credentials using GOOGLE_APPLICATION_CREDENTIALS environment variable: unknown credential type: "external_account"
│ 
│   with provider["registry.terraform.io/hashicorp/google"],
│   on main.tf line 28, in provider "google":
│   28: provider "google" {
│ 
╵

But I am able to provision other GCP components by terraform in a similar way.

Here the terraform init works fine which is able to check the backend state file in GCS bucket. It means it is able to connect to the account. However it seems terraform plan encounters the problem.

It should have GCP authorization implicitly.

Any suggestion?

google-kubernetes-engine github-actions terraform-provider-gcp workload-identity
Original Q&A
1

There are 1 answers

0
sfl On

Your Google provider is likely too old, it did not support Workload Identity Federation tokens until 3.61.

Related Questions in GOOGLE-KUBERNETES-ENGINE

Related Questions in GITHUB-ACTIONS

Related Questions in TERRAFORM-PROVIDER-GCP

Related Questions in WORKLOAD-IDENTITY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions