Terraform cannot authenticate with Google Cloud because Application Default Credentials (ADC) are not configured. This happens when neither explicit credentials nor access tokens are provided in the provider block.
When Terraform tries to create or manage GCP resources, it attempts to load application default credentials automatically. This error occurs because no credentials are available through any of the expected authentication methods: not explicitly configured in the provider block, not set via GOOGLE_APPLICATION_CREDENTIALS environment variable, and not created via 'gcloud auth application-default login'. Google Cloud falls back to looking for a service account on the metadata server, which also fails.
This is the recommended solution for local development. Run the following command to set up Application Default Credentials:
gcloud auth application-default loginThis command opens a browser window to authenticate your user account and stores credentials in ~/.config/gcloud/application_default_credentials.json. Terraform will automatically discover and use these credentials.
After authentication, configure your default GCP project:
gcloud config set project YOUR_PROJECT_IDReplace YOUR_PROJECT_ID with your actual Google Cloud project ID. You can find this in the Google Cloud Console.
If you see a warning about missing quota project, run:
gcloud auth application-default set-quota-project YOUR_PROJECT_IDThis ensures proper quota tracking for your Terraform operations.
Once ADC is set up, your Terraform provider block can be minimal:
provider "google" {
project = "my-gcp-project"
region = "us-central1"
}Terraform automatically searches for credentials in this order: GOOGLE_APPLICATION_CREDENTIALS environment variable, ADC file created by gcloud auth application-default login, and the attached service account (if running on GCP).
For automated environments (GitHub Actions, GitLab CI, Terraform Cloud), create a service account and provide credentials:
# Create service account
gcloud iam service-accounts create terraform-bot --display-name="Terraform Bot"
# Grant necessary roles
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:terraform-bot@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/editor"
# Create and download key
gcloud iam service-accounts keys create key.json \
--iam-account=terraform-bot@YOUR_PROJECT_ID.iam.gserviceaccount.comThen set the environment variable in your CI/CD:
export GOOGLE_APPLICATION_CREDENTIALS="$(pwd)/key.json"If using service account impersonation instead of key files:
gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAILMake sure your user account has the 'Service Account Token Creator' (roles/iam.serviceAccountTokenCreator) IAM role on the service account.
In Terraform Cloud/HCP Terraform, create an environment variable named GOOGLE_CREDENTIALS in your workspace:
1. Go to your workspace settings
2. Click 'Variables' tab
3. Add variable: GOOGLE_CREDENTIALS
4. Set value to the contents of your service account JSON key:
cat /path/to/service-account-key.json | jq -c5. Check the 'Sensitive' checkbox
6. Save the variable
Service account keys are a security risk if stored in version control. Prefer using service account impersonation, workload identity federation (for Kubernetes), or attaching service accounts to compute resources. On Google Cloud resources (Compute Engine, GKE, Cloud Functions), prefer using the attached service account instead of creating separate keys. For Terraform Cloud, use dynamic credentials with OIDC workload identity federation instead of static service account keys when possible.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform