"Invalid value for \"audience\" Error Encountered When Using Dynamic Credentials with GCP

Problem

When you execute a run in an HCP Terraform or Terraform Enterprise workspace configured with Dynamic Credentials for GCP authentication, the apply fails with the following error:

[ERROR] vertex "google_storage_bucket.test-bucket" error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=REDACTED": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
Error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=REDACTED": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
  with google_storage_bucket.test-bucket,
  on main.tf line 11, in resource "google_storage_bucket" "test-bucket":
  11: resource "google_storage_bucket" "test-bucket" {}

Cause

This error occurs when the value for the GCP dynamic credentials environment variables is incorrect. This can happen with either the unified environment variable (TFC_GCP_WORKLOAD_PROVIDER_NAME) or the separate environment variables (TFC_GCP_WORKLOAD_POOL_ID and TFC_GCP_WORKLOAD_PROVIDER_ID).

Solutions

Depending on which environment variables you use, select the appropriate solution.

Solution 1: Correct the Unified Environment Variable

If you are using the TFC_GCP_WORKLOAD_PROVIDER_NAME environment variable, ensure its value matches the following format exactly.

projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}

Note that Terraform automatically prepends //iam.googleapis.com/ to this value. You must remove this prefix from your environment variable's value if it is present.

Solution 2: Correct the Separate Environment Variables

If you are using the individual TFC_GCP_WORKLOAD_POOL_ID and TFC_GCP_WORKLOAD_PROVIDER_ID environment variables, their values must be only the resource IDs, not the full resource names.

• TFC_GCP_WORKLOAD_POOL_ID: This value should match the workload_identity_pool_id argument from your google_iam_workload_identity_pool resource.
• TFC_GCP_WORKLOAD_PROVIDER_ID: This value should match the workload_identity_pool_provider_id argument from your google_iam_workload_identity_pool_provider resource.