Introduction
This article troubleshoots an Error connecting to the given credential's issuer error that may occur when using Dynamic Credentials for Google Cloud Platform (GCP) in Terraform Enterprise.
Problem
When you execute a run in a Terraform Enterprise workspace configured with Dynamic Credentials for the Google provider, the apply phase fails with the following error message:
╷│ Error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=REDACTED": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_grant","error_description":"Error connecting to the given credential's issuer."}
│
│ with google_storage_bucket.test-bucket,
│ on main.tf line 11,
│ in resource "google_storage_bucket" "test-bucket":
│ 11: resource "google_storage_bucket" "test-bucket" {
│
╵Cause
This error occurs when GCP cannot verify the signed JSON Web Tokens (JWTs) it receives from Terraform Enterprise. This is typically because the static OpenID Connect (OIDC) metadata endpoints of your Terraform Enterprise installation are not publicly accessible.
Solution
To resolve this issue, you must ensure that your network configuration allows incoming communication from GCP to the following two endpoints on your Terraform Enterprise instance:
https://TFE_HOSTNAME/.well-known/openid-configurationhttps://TFE_HOSTNAME/.well-known/jwks
These endpoints must be accessible from the public internet for GCP's authentication services to reach them.
Additional Information
For more information, refer to the documentation on TFE-specific requirements for Dynamic Credentials.