Problem
When attempting to execute a run within a workspace in Terraform Enterprise that is configured to use a Dynamic Credentials trust for authentication of the Google provider in your configuration code, the apply phase of the run fails with an error message similar to this:
╷
│ Error: Post "https://storage.googleapis.com/storage/v1/b?alt=json&prettyPrint=false&project=REDACTED": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/REDACTED@REDACTED.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_grant","error_description":"Error connecting to the given credential's issuer."}
│
│ with google_storage_bucket.test-bucket,
│ on main.tf line 11, in resource "google_storage_bucket" "test-bucket":
│ 11: resource "google_storage_bucket" "test-bucket" {
│
╵
Cause
The static OIDC metadata endpoints of your Terraform Enterprise installation may not be publicly accessible, which is preventing GCP from verifying signed JWTs it obtains from Terraform Enterprise.
Solution
Ensure that your network allows incoming communication from GCP to these two endpoints:
https://TFE_HOSTNAME/.well-known/openid-configurationhttps://TFE_HOSTNAME/.well-known/jwks
Additional Information
- Link to our official documentation regarding this TFE specific requirement for the Dynamic Credentials feature: https://developer.hashicorp.com/terraform/enterprise/workspaces/dynamic-provider-credentials#tfe-specific-requirements