Terraform doesn't support GCP "external_account_authorized_user"

[FabioAntunes]

Terraform Version

v1.6.2aTerraform v1.6.3
on darwin_amd64

Terraform Configuration Files

provider "google" {
  region = "us-east1"
  project = "project-name"
}
terraform {
  backend "gcs" {
    bucket = "bucket-name"
    prefix = "state-name.tfstate"
  }
}

Debug Output

2023-11-13T17:54:31.126Z [INFO]  Terraform version: 1.6.3
2023-11-13T17:54:31.127Z [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2023-11-13T17:54:31.127Z [DEBUG] using github.com/hashicorp/hcl/v2 v2.19.1
2023-11-13T17:54:31.127Z [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2023-11-13T17:54:31.127Z [DEBUG] using github.com/zclconf/go-cty v1.14.1
2023-11-13T17:54:31.127Z [INFO]  Go runtime version: go1.21.3
2023-11-13T17:54:31.127Z [INFO]  CLI args: []string{"terraform", "init"}
2023-11-13T17:54:31.127Z [DEBUG] Attempting to open CLI config file: /Users/fabioantunes/.terraformrc
2023-11-13T17:54:31.127Z [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2023-11-13T17:54:31.128Z [INFO]  Loading CLI configuration from /Users/fabioantunes/.terraform.d/credentials.tfrc.json
2023-11-13T17:54:31.128Z [DEBUG] checking for credentials in "/Users/fabioantunes/.terraform.d/plugins"
2023-11-13T17:54:31.128Z [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2023-11-13T17:54:31.128Z [DEBUG] will search for provider plugins in /Users/fabioantunes/.terraform.d/plugins
2023-11-13T17:54:31.130Z [DEBUG] ignoring non-existing provider search directory /Users/fabioantunes/Library/Application Support/io.terraform/plugins
2023-11-13T17:54:31.130Z [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2023-11-13T17:54:31.130Z [INFO]  CLI command args: []string{"init"}

Initializing the backend...
2023-11-13T17:54:31.156Z [DEBUG] New state was assigned lineage "c7a673bd-fbc4-c147-1114-964bfdba5430"
2023-11-13T17:54:31.156Z [DEBUG] checking for provisioner in "."
2023-11-13T17:54:31.170Z [DEBUG] checking for provisioner in "/usr/local/bin"
2023-11-13T17:54:31.170Z [DEBUG] checking for provisioner in "/Users/fabioantunes/.terraform.d/plugins"
╷
│ Error: storage.NewClient() failed: dialing: unknown credential type: "external_account_authorized_user"

Expected Behavior

Terraform init should work

Actual Behavior

Terraform init fails even though the credentials are valid.

Steps to Reproduce

1. gcloud auth login
2. gcloud auth application-default login

cat /Users/fabioantunes/.config/gcloud/application_default_credentials.json
{
  "audience": "//iam.googleapis.com/locations/global/workforcePools/random/stuff/in/here/name-of-the-provider",
  "client_id": "randomnumber.apps.googleusercontent.com",
  "client_secret": "super-client-secret",
  "quota_project_id": "my-super-project",
  "refresh_token": "super-refresh-token",
  "token_info_url": "https://sts.googleapis.com/v1/introspect",
  "token_url": "https://sts.googleapis.com/v1/oauthtoken",
  "type": "external_account_authorized_user"
}

4. terraform init

Additional Context

I have raised this with terragrunt as well and it seems they managed to fix this by upgrading the gcp SDK
gruntwork-io/terragrunt#2775

References

No response

[crw]

Thanks for this report! I'll raise it with the appropriate team. Please be aware that backend development happens fairly infrequently and is per the priorities of the team in question. Thanks again!

[FabioAntunes]

How can I follow the progress? Would this issue be closed when this is fixed? or do I need to keep an eye on releases?

[crw]

@FabioAntunes Indeed, this issue would be closed. Before that, a PR would be opened that referenced this issue, which would also show up in the comment thread of this issue. Usually the PRs see a lot of activity, so would be worth tracking itself. If you do not see a PR reference, it is likely not yet being worked on. Thanks!

[bschaatsbergen]

Hey @FabioAntunes, thanks for taking the time to raise this issue. I would happily take a stab at this and see if I can get it fixed! (I'm expecting this to be a simple package bump, if not done already). cc @crw.

[bschaatsbergen]

@FabioAntunes could you please try a more recent release of Terraform Core, for example 1.6.4 or anything more recent?

The type external_account_authorized_user was added to the cloud.google.com/go/auth package on the 18th of October: https://github.com/googleapis/google-cloud-go/blame/d1019803ecd506e93848d6d761f41b955c00d31a/auth/internal/internaldetect/internaldetect.go#L68 by Google.

And on the 25th of October we updated the dependencies in Terraform Core, to v1.30.1 of the cloud.google.com/go/storage package. This change was released under Terraform Core 1.6.4 on the 15th of November.

[thomas-dussouillez]

I still have the issue. I am using Terraform v1.6.6 on darwin_arm64 and provider hashicorp/google in version 5.11.0.
Is it supposed to be fixed ?
Thank you

[bschaatsbergen]

@thomas-dussouillez that's odd. Allow me as soon as possible to take a look at it and see whether I can reproduce it.

[thomas-dussouillez]

Still not working for me. I notice that the Go runtime version is 1.21.5.
Here is my gcloud version:

Google Cloud SDK 459.0.0
bq 2.0.101
core 2024.01.06
gcloud-crc32c 1.0.0
gke-gcloud-auth-plugin 0.5.8
gsutil 5.27
kubectl 1.27.9

Besides that, I tested on a Linux server (otherwise I work/tested on an Apple MacBook with M2 chip) and I have the same error.
I tested with terraform installed with tfenv and direct installation from brew hashicorp tap and from binary, same error.

Here is my error DEBUG log:

2024-01-17T11:00:22.038+0100 [INFO]  Terraform version: 1.6.6
2024-01-17T11:00:22.039+0100 [DEBUG] using github.com/hashicorp/go-tfe v1.36.0
2024-01-17T11:00:22.039+0100 [DEBUG] using github.com/hashicorp/hcl/v2 v2.19.1
2024-01-17T11:00:22.039+0100 [DEBUG] using github.com/hashicorp/terraform-svchost v0.1.1
2024-01-17T11:00:22.039+0100 [DEBUG] using github.com/zclconf/go-cty v1.14.1
2024-01-17T11:00:22.039+0100 [INFO]  Go runtime version: go1.21.5
2024-01-17T11:00:22.039+0100 [INFO]  CLI args: []string{"/opt/homebrew/Cellar/tfenv/3.0.0/versions/1.6.6/terraform", "init", "-backend-config=/Users/tdussouillez/Documents/gitlab/vpg-gke/environments/test/_backend.tfconfig"}
2024-01-17T11:00:22.039+0100 [DEBUG] Attempting to open CLI config file: /Users/tdussouillez/.terraformrc
2024-01-17T11:00:22.039+0100 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2024-01-17T11:00:22.040+0100 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2024-01-17T11:00:22.040+0100 [DEBUG] ignoring non-existing provider search directory /Users/tdussouillez/.terraform.d/plugins
2024-01-17T11:00:22.040+0100 [DEBUG] ignoring non-existing provider search directory /Users/tdussouillez/Library/Application Support/io.terraform/plugins
2024-01-17T11:00:22.040+0100 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2024-01-17T11:00:22.040+0100 [INFO]  CLI command args: []string{"init", "-backend-config=/Users/tdussouillez/Documents/gitlab/vpg-gke/environments/test/_backend.tfconfig"}

Initializing the backend...
Initializing modules...
2024-01-17T11:00:22.061+0100 [DEBUG] Module installer: begin arcleaner
2024-01-17T11:00:22.063+0100 [DEBUG] Module installer: begin argocd
2024-01-17T11:00:22.065+0100 [DEBUG] Module installer: begin certs
2024-01-17T11:00:22.066+0100 [DEBUG] Module installer: begin datadog
2024-01-17T11:00:22.069+0100 [DEBUG] Module installer: begin gke
2024-01-17T11:00:22.082+0100 [DEBUG] Module installer: begin kubernetes
2024-01-17T11:00:22.083+0100 [DEBUG] Module installer: begin logging
2024-01-17T11:00:22.084+0100 [DEBUG] Module installer: begin networking
2024-01-17T11:00:22.086+0100 [DEBUG] Module installer: begin permissions
2024-01-17T11:00:22.087+0100 [DEBUG] Module installer: begin private-gateway
2024-01-17T11:00:22.088+0100 [DEBUG] Module installer: begin project
2024-01-17T11:00:22.091+0100 [DEBUG] Module installer: begin public-gateway
2024-01-17T11:00:22.092+0100 [DEBUG] Module installer: begin pubsub
2024-01-17T11:00:22.093+0100 [DEBUG] Module installer: begin pubsub-notification
2024-01-17T11:00:22.103+0100 [DEBUG] Module installer: begin sealed-secrets
2024-01-17T11:00:22.104+0100 [DEBUG] Module installer: begin static-external-ip
2024-01-17T11:00:22.105+0100 [DEBUG] Module installer: begin static-internal-ip
╷
│ Error: storage.NewClient() failed: dialing: unknown credential type: "external_account_authorized_user"
│ 
│ 
╵

[thomas-dussouillez]

Hello, any update on this issue ? Still not working for us and it is quite impacting :(
Thank you

[bschaatsbergen]

Hey, I've been stuck trying to reproduce the issue using different Google Cloud identities, both my Gmail and a federated cloud identity user - these are shown as authorized_user instead of external_account_authorized_user. Could you could share some details on how you authenticated? I saw something about a "workforcePool" in your application_default_credentials.json file. Knowing more about that could really help me get this figured out! Thanks in advance!

[thomas-dussouillez]

I'm authenticating using Workforce Pool Identity (SSO configuration providing identity federation with an OIDC provider with Azure AD as identity base). I don't have a google identity but an external identity, this is why it is called external_account_authorized_user.

I authenticate using this command :
gcloud auth login --login-config=CONFIG_FILE
gcloud auth application-default login --login-config=CONFIG_FILE

The CONFIG_FILE looks like this:

{
  "type": "external_account_authorized_user_login_config",
  "audience": "//iam.googleapis.com/locations/global/workforcePools/POOLNAME/providers/PROVIDERNAME",
  "auth_url": "https://auth.cloud.google/authorize",
  "token_url": "https://sts.googleapis.com/v1/oauthtoken",
  "token_info_url": "https://sts.googleapis.com/v1/introspect"
}

Then my application_default_credentials.json looks like this:

{
  "audience": "//iam.googleapis.com/locations/global/workforcePools/POOLNAME/providers/PROVIDERNAME",
  "client_id": "XXX.apps.googleusercontent.com",
  "client_secret": "SUPERSECRETSTRING",
  "refresh_token": "token",
  "token_info_url": "https://sts.googleapis.com/v1/introspect",
  "token_url": "https://sts.googleapis.com/v1/oauthtoken",
  "type": "external_account_authorized_user",
  "universe_domain": "googleapis.com"
}

[bschaatsbergen]

I believe I've identified the issue. Upon investigating, I found that our Google Cloud Storage SDK (cloud.google.com/go/storage) implementation relies on a package called golang.org/x/oauth2/google. This package introduced the external_account_authorized_user user type in version v0.12.0, which was released in September 2023. You can refer to the commit here: https://cs.opensource.google/go/x/oauth2/+/43b6a7ba1972152df70cd1e5ac7705e981df5f66.

Currently, we are using version v0.11.0 of the golang.org/x/oauth2 package.

[bschaatsbergen]

I've submitted a pull request to update the golang.org/x/oauth2 package to its latest version, specifically v0.17.0.

[FabioAntunes]

yeah I mentioned that when I raised the issue:

Additional Context
I have raised this with terragrunt as well and it seems they managed to fix this by upgrading the gcp SDK
gruntwork-io/terragrunt#2775

[bschaatsbergen]

yeah I mentioned that when I raised the issue:

Additional Context
I have raised this with terragrunt as well and it seems they managed to fix this by upgrading the gcp SDK
gruntwork-io/terragrunt#2775

@FabioAntunes after seeing your reply on gruntwork-io/terragrunt#2773 (comment), I wasn't sure whether the package upgrades actually solved your issue there?

The need for an upgrade wasn't specifically related to the Google Cloud SDK; instead, it involved updating the golang.org/x/auth2 package, which is used to initialize the required credentials passed into the storage client. See https://github.com/hashicorp/terraform/blob/main/internal/backend/remote-state/gcs/backend.go#L148-L163 for the code that's responsible for initializing and passing the credentials into the storage client.

Your observation was quite helpful in confirming my investigation. Thanks! 👍🏼

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.