This error occurs when Terraform cannot locate GCP credentials. Fix it by setting up Application Default Credentials with gcloud auth application-default login, setting the GOOGLE_APPLICATION_CREDENTIALS environment variable, or configuring credentials in your Terraform provider block.
The Terraform Google provider requires authentication credentials to communicate with Google Cloud APIs. This error means Terraform went through the standard credential lookup process and found nothing. Terraform searches for credentials in this order: (1) The `credentials` field in the provider block, (2) The `GOOGLE_APPLICATION_CREDENTIALS` environment variable, (3) Application Default Credentials (ADC) set by `gcloud auth application-default login`, and (4) Credentials from a GCP instance's service account (only when running on GCP infrastructure). When none of these sources provide valid credentials, Terraform stops with this error. This is a safety mechanism—Terraform refuses to proceed without knowing which GCP project and identity to use for infrastructure changes.
The easiest solution for local development is to use gcloud auth application-default login. This authenticates using your personal Google account:
gcloud auth application-default loginThis command will:
1. Open your browser to sign in with your Google account
2. Create an ADC JSON file in ~/.config/gcloud/application_default_credentials.json (Linux/macOS) or %APPDATA%/gcloud/application_default_credentials.json (Windows)
3. Terraform will automatically use this file
After running this command, Terraform should work without any additional configuration.
For production and CI/CD, use a dedicated service account with minimal permissions:
# Create a service account
gcloud iam service-accounts create terraform-automation --display-name="Terraform Automation"
# Grant it the necessary permissions (adjust as needed for your infrastructure)
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
--member="serviceAccount:terraform-automation@YOUR_PROJECT_ID.iam.gserviceaccount.com" \
--role="roles/editor"
# Create and download a key
gcloud iam service-accounts keys create terraform-key.json \
--iam-account=terraform-automation@YOUR_PROJECT_ID.iam.gserviceaccount.comThen set the environment variable:
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/terraform-key.json"
terraform planStore the key file securely (not in version control) and rotate keys regularly.
You can also pass credentials directly in your Terraform configuration:
provider "google" {
project = "my-project-id"
region = "us-central1"
credentials = file("./terraform-key.json")
}Or use a variable for sensitive data:
variable "gcp_credentials" {
type = string
description = "GCP service account credentials (JSON)"
sensitive = true
}
provider "google" {
project = "my-project-id"
region = "us-central1"
credentials = var.gcp_credentials
}Then provide credentials via a .tfvars file or environment variable:
# Create a tfvars file (add to .gitignore!)
echo 'gcp_credentials = file("./terraform-key.json")' > terraform.tfvars
# Or pass via environment
export TF_VAR_gcp_credentials=$(cat terraform-key.json | jq -c .)If you have a service account key file, point Terraform to it:
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/terraform-key.json"
terraform planMake this permanent by adding to your shell profile (.bashrc, .zshrc, etc.):
echo 'export GOOGLE_APPLICATION_CREDENTIALS="$HOME/.config/terraform/gcp-key.json"' >> ~/.bashrc
source ~/.bashrcVerify it's set:
echo $GOOGLE_APPLICATION_CREDENTIALS
cat $GOOGLE_APPLICATION_CREDENTIALS # Verify it's valid JSONIf running Terraform on a GCP VM, Cloud Run, or GKE cluster, use the instance's service account instead of key files:
# For GCP VMs, configure the compute instance with appropriate scopes:
gcloud compute instances create terraform-runner \
--scopes=cloud-platform \
--service-account=terraform-automation@YOUR_PROJECT_ID.iam.gserviceaccount.comTerraform will automatically detect and use the instance's service account. No credentials file needed.
For GKE, use Workload Identity:
# Link the Kubernetes service account to the GCP service account
gcloud iam service-accounts add-iam-policy-binding \
terraform-automation@YOUR_PROJECT_ID.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:YOUR_PROJECT_ID.svc.id.goog[default/terraform-sa]"If using Terraform Cloud or HCP Terraform, configure credentials in your workspace:
1. In the Terraform Cloud console, go to your workspace
2. Navigate to Variables > Environment variables
3. Create a variable named GOOGLE_CREDENTIALS and mark it as sensitive
4. Paste the contents of your service account key JSON (as a single line, use: cat key.json | jq -c .)
Example:
# Generate a single-line version of your credentials
cat terraform-key.json | jq -c . | pbcopy # macOS
# Then paste into the GOOGLE_CREDENTIALS variableTerraform Cloud will automatically set GOOGLE_APPLICATION_CREDENTIALS from this variable before running your plans.
GCP credentials follow a clear hierarchy that Terraform respects: provider block > GOOGLE_APPLICATION_CREDENTIALS > Application Default Credentials > instance service account. Understanding this order helps you debug which credential source is being used.
For security best practices: Never hardcode credentials in Terraform files or commit key files to version control. Use gcloud auth application-default login for development (uses your personal account) and service accounts with minimal IAM roles for production. Consider using Workload Identity Federation instead of service account keys for long-lived credentials—it uses time-limited tokens and is more secure.
When migrating between credential types, test locally first with terraform plan before running apply. The --json output flag helps parse errors in CI/CD:
terraform plan -json | jq '.diagnostic | select(.severity=="error")'If you see "Attempted to load application default credentials since neither credentials nor access_token was set in the provider block", it means no provider-level credentials were found and the system is falling back to checking ADC.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform