"Invalid value for \"audience\" Error Encountered When Using Dynamic Credentials with GCP

Problem

When attempting to execute a run within a workspace in Terraform Cloud or Terraform Enterprise that is configured to use a Dynamic Credentials trust for authentication to GCP, the apply phase of the run fails with an error message similar to this:

[ERROR] vertex "google_storage_bucket.test-bucket" error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=REDACTED": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
╷
│ Error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=REDACTED": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_request","error_description":"Invalid value for \"audience\". This value should be the full resource name of the Identity Provider. See https://cloud.google.com/iam/docs/reference/sts/rest/v1/TopLevel/token for the list of possible formats."}
│ 
│ with google_storage_bucket.test-bucket,
│ on main.tf line 11, in resource "google_storage_bucket" "test-bucket":
│ 11: resource "google_storage_bucket" "test-bucket" {
│ 
╵

Cause

The value configured for the TFC_GCP_WORKLOAD_PROVIDER_NAME environment variable, if using this unified environment variable, or for TFC_GCP_WORKLOAD_POOL_ID and TFC_GCP_WORKLOAD_PROVIDER_ID, if using these separate environment variables is incorrect.

Solution

• If using the TFC_GCP_WORKLOAD_PROVIDER_NAME environment variable, the format of this value must match this syntax: projects/{project_number}/locations/global/workloadIdentityPools/{workload_identity_pool_id}/providers/{workload_identity_pool_provider_id}
  • Please remove //iam.googleapis.com/ if it's currently prepended to the value you have for this environment variable, as Terraform will prepend this to the value on its own
• If using the individual TFC_GCP_WORKLOAD_POOL_ID and TFC_GCP_WORKLOAD_PROVIDER_ID environment variables, the values must be solely the name of each of these resources.
  • If you created the workload pool using Terraform, then the value for TFC_GCP_WORKLOAD_POOL_ID should be what you configured as the value for the workload_identity_pool_id argument of the google_iam_workload_identity_pool resource.
  • If you created the workload pool provider using Terraform, then the value for TFC_GCP_WORKLOAD_PROVIDER_ID should be what you configured as the value for the workload_identity_pool_provider_id argument of the google_iam_workload_identity_pool_provider resource.