Hey there. I'm looking to manage an existing postgres instance that lives in GCP. Everything works fine when I apply changes from a local machine, but I'm running into trouble when applying the same changes via Terraform Cloud. Specifically, running the apply from Terraform Cloud complains because it doesn't have the application default credentials.

The documentation mentions that you need to set the GOOGLE_APPLICATION_CREDENTIALS environment variable to be the path to the credentials file. However, to my knowledge, there's no way to create or store a hard drive file with Terraform Cloud, meaning there's nothing for the GOOGLE_APPLICATION_CREDENTIALS to point to.

Are there any known workarounds for situations where you're working on Terraform Cloud or don't have direct hard drive access? Thanks in advance for the help.

Terraform Version

v0.14.11

Affected Resource(s)

• postgresql_grant_role

Expected Behavior

Running terraform apply from Terraform Cloud connects to postgres in GCP.

Actual Behavior

Running terraform apply from Terraform Cloud fails to authenticate with postgres because there's no path to the Google application credentials. (Note that this is only an issue for Terraform Cloud. Everything works fine from a local machine.)

Error: Error connecting to PostgreSQL server mygcpproject:myregion:mydbinstance (scheme: gcppostgres): gcppostgres open gcppostgres://terraform:imagineapasswordhere@smygcpproject:myregion:mydbinstance:5432/postgres?fallback_application_name=Terraform+provider: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Steps to Reproduce

1. Create a postgres instance in GCP.
2. Use the postgres provider to connect to that DB instance. It should work fine on a local machine.
3. Use the same configs on Terraform Cloud. The apply fails because there's no good way to get the application default credentials.

Important Factoids

Here's a granular list representation of the previously-mentioned context:

• There's a postgres instance that lives in Google Cloud.
• Using the postgres provider works fine on a local machine.
• Using the same Terraform code on Terraform cloud runs into an error due to lack of application default credentials.
• The documentation mentioned setting the GOOGLE_APPLICATION_CREDENTIALS environment variable. While it's possible to set the environment variable itself on Terraform Cloud, that variable still needs to point to the credentials json file. There's no way to create that file on Terraform Cloud.

References

• Does gcppostgres support IAM authentication?  #100 may be related. IAM authentication might be a possible fix to this issue.