Terraform import fails when credentials aren't configured locally. Unlike other Terraform commands that run in the cloud, terraform import executes on your workstation and requires local authentication to access cloud resources.
The terraform import command establishes a connection between existing cloud resources and Terraform state. This error occurs because the import command runs locally on your machine, unlike apply or plan which execute in Terraform Cloud/Enterprise. Your local environment lacks the credentials needed to authenticate with the cloud provider API.
Check your provider block in your Terraform configuration. For Google Cloud, it should include either credentials or access_token:
terraform {
required_providers {
google = {
source = "hashicorp/google"
version = "~> 5.0"
}
}
}
provider "google" {
project = "my-project"
region = "us-central1"
# Either option:
# credentials = file("/path/to/service-account-key.json")
# OR
# access_token = var.gcp_access_token
}If credentials aren't set, continue to step 2.
For local development with Google Cloud, run:
gcloud auth application-default loginThis creates local credentials that Terraform will use automatically. A browser window will open for authentication. Approve the permissions to generate the credentials file at ~/.config/gcloud/application_default_credentials.json.
If you have a service account key file (JSON), export it as an environment variable:
# On Linux/macOS
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account-key.json"
# On Windows PowerShell
$env:GOOGLE_APPLICATION_CREDENTIALS = "C:\path\to\service-account-key.json"Verify the path is correct and the file exists:
cat $GOOGLE_APPLICATION_CREDENTIALS | jq .Before running terraform import, define an empty resource block for the resource you're importing:
resource "google_compute_instance" "example" {
# Empty - will be populated by import
}This gives Terraform a place to store the imported state.
Different resource types use different ID formats. Check the provider documentation for the correct format:
# Google Compute Instance: zone/instance-name
terraform import google_compute_instance.example us-central1-a/my-instance
# Google Cloud Storage Bucket: bucket-name
terraform import google_storage_bucket.example my-bucket
# Google SQL Instance: project:instance-name
terraform import google_sql_database_instance.example my-project:my-instanceRefer to the Terraform Google Provider documentation for the specific ID format for your resource type.
After running terraform import, check that the state was updated:
terraform state show google_compute_instance.exampleYou should see the imported resource's attributes. If the import succeeded but attributes are missing, you may need to add them to your configuration.
If using Terraform Cloud or Terraform Enterprise, remember that terraform import always executes locally, not in the remote environment. You must set up credentials on your local workstation first. For CI/CD pipelines, store the service account key or access token as a secure environment variable in your pipeline platform. Never commit credentials to version control. For multi-account setups, use Terraform variables or separate provider aliases to manage different credentials for different resources. Consider using workload identity federation (available for GCP) to avoid storing long-lived service account keys entirely.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform