Introduction
Problem
When using third-party or partner Terraform providers, you may encounter the following error:
Error while installing gitlabhq/gitlab v17.4.0: could not query provider registry for registry.terraform.io/gitlabhq/gitlab: failed to retrieve cryptographic signature for provider: 403 Forbidden returned from release-assets.githubusercontent.com
As of June 2025, certain third-party or partner providers may fail to download due to this issue.
Prerequisites
- This issue only affects third-party and partner Terraform providers. To identify the provider tier in question you can review HashiCorp provider documentation
- Hashicorp-maintained (official) providers are not impacted.
Cause
Terraform downloads third-party/partner providers from GitHub-hosted endpoints over the public internet during the terraform init process.
Previously, these downloads were served from:
https://github-releases.githubusercontent.com/*https://objects.githubusercontent.com/*
However, GitHub has recently introduced a new download endpoint for release assets:
https://release-assets.githubusercontent.com
This change affects how some Terraform providers are downloaded. If your environment restricts outbound access and blocks this new domain, the download will fail, resulting in errors like the one shown above.
There has been a change on Github related to release assets as can be found here
Solutions:
To resolve the issue:
- You will need to reach your network or security team.
- Request that the following domain be added to your allowlist/firewall exceptions:
https://release-assets.githubusercontent.com
Outcome
Once this domain is accessible, terraform init should complete successfully when using third-party or partner providers.