Problem
When using third-party or partner Terraform providers, you may encounter an error during terraform init that prevents provider installation.
Error while installing gitlabhq/gitlab v17.4.0: could not query provider registry for registry.terraform.io/gitlabhq/gitlab: failed to retrieve cryptographic signature for provider: 403 Forbidden returned from release-assets.githubusercontent.com
As of June 2025, certain third-party or partner providers may fail to download due to this issue.
Prerequisites
- This issue only affects third-party and partner Terraform providers. To identify the provider tier, refer to the HashiCorp provider documentation.
- HashiCorp-maintained (Official) providers are not impacted.
Cause
Terraform downloads third-party and partner providers from GitHub-hosted endpoints during the terraform init process. Previously, these downloads were served from the github-releases.githubusercontent.com and objects.githubusercontent.com domains.
GitHub has introduced a new download endpoint for release assets: release-assets.githubusercontent.com. This change is documented in GitHub's changelog post on release assets.
If your environment's network security policies restrict outbound access and do not have this new domain on an allowlist, the provider download will fail with a 403 Forbidden error.
Solutions
Solution 1: Allowlist the New GitHub Domain
To resolve this issue, you must update your network's firewall or proxy configuration. Contact your network or security team to add the following domain to your organization's allowlist:
https://release-assets.githubusercontent.com
Outcome
After your network team adds the domain to the allowlist, terraform init should complete successfully when using third-party or partner providers.