When using dynamic credentials with GCP in Terraform Enterprise, the credentials issuer endpoint is unreachable. This occurs when GCP cannot access your Terraform Enterprise OIDC metadata endpoints to verify JWT tokens.
This error occurs during the OAuth2 grant flow when GCP attempts to verify a JWT token signed by your Terraform Enterprise instance. GCP needs to reach your Terraform Enterprise's OIDC metadata endpoints (/.well-known/openid-configuration and /.well-known/jwks) to validate the token signature. If these endpoints are not publicly accessible or if there are network connectivity issues, GCP cannot complete the verification and returns this error.
Test that your Terraform Enterprise OIDC endpoints are publicly accessible from GCP:
# Replace TFE_HOSTNAME with your actual Terraform Enterprise hostname
curl -v https://TFE_HOSTNAME/.well-known/openid-configuration
curl -v https://TFE_HOSTNAME/.well-known/jwksBoth endpoints should return JSON responses. If you get connection timeouts or 403 errors, your network is blocking access.
Ensure that your Terraform Enterprise instance allows inbound HTTPS traffic (port 443) from GCP:
- Check your cloud provider's firewall/security group settings
- Ensure no Network ACLs are blocking access
- Verify that any WAF (Web Application Firewall) is not rejecting requests from GCP
- If using a load balancer, ensure it forwards requests to the OIDC endpoints
- Test connectivity: telnet TFE_HOSTNAME 443 should succeed
In Terraform Enterprise, OIDC endpoints are enabled by default. If you've disabled them, re-enable them:
1. Access your Terraform Enterprise admin panel
2. Navigate to Settings > OIDC Configuration
3. Ensure OIDC is enabled and the endpoint URLs are correct
4. Verify the hostname matches your TFE installation URL
If you're using HCP Terraform (cloud.terraform.io), OIDC is always enabled and no action is needed.
In the GCP Console, verify your Workload Identity Pool configuration:
1. Go to IAM & Admin > Workload Identity Federation
2. Select your Workload Identity Pool
3. Click the provider for Terraform Enterprise
4. Verify the OIDC Issuer URL matches: https://TFE_HOSTNAME
5. Check that the Attribute Mapping includes:
- google.subject → assertion.sub
- google.iam.workloadIdentityPool.resource_name
If any settings are incorrect, update them to match your Terraform Enterprise configuration.
If your Terraform Enterprise endpoints cannot be made publicly accessible, use the manual JWK upload method:
1. On your Terraform Enterprise instance, retrieve the JWK file:
curl https://TFE_HOSTNAME/.well-known/jwks > tfe_jwk.json2. In GCP Console, go to IAM & Admin > Workload Identity Federation
3. Select your Workload Identity Pool and the Terraform Enterprise provider
4. Click Edit
5. Under "JWKS file path or URL", select "Upload JWKS file"
6. Upload the tfe_jwk.json file
7. Save the configuration
This workaround allows GCP to verify tokens without requiring external access to your metadata endpoints.
After making changes, test the connection from Terraform:
terraform {
cloud {
organization = "YOUR_ORG"
workspaces {
name = "test-workspace"
}
}
}
provider "google" {
project = "your-gcp-project"
}
# Simple test resource
resource "google_storage_bucket" "test" {
name = "test-bucket-${data.google_client_config.current.project}"
location = "US"
force_destroy = true
}
data "google_client_config" "current" {}Run terraform init and terraform plan. If the error persists, check the Terraform Enterprise logs for more details.
This error is specific to dynamic credentials using OIDC with GCP. It does NOT occur with service account key-based authentication. If your Terraform Enterprise instance uses a custom or self-signed SSL certificate, GCP will not be able to verify it due to certificate validation restrictions, and you must use the manual JWK upload workaround. For Terraform Enterprise versions before 202407-1, there was a bug where workload identity failed when more than 10 keys were generated; upgrade to version 202407-1 or later to fix this. The error occurs because the OAuth2 implicit grant flow requires GCP to verify the JWT signature using the JWK set, and any disruption in network connectivity or certificate validation will cause this failure.
Error: Error installing helm release: cannot re-use a name that is still in use
How to fix "release name in use" error in Terraform with Helm
Error: Error creating GKE Cluster: BadRequest
BadRequest error creating GKE cluster in Terraform
Error: External program failed to produce valid JSON
External program failed to produce valid JSON
Error: Unsupported argument in child module call
How to fix "Unsupported argument in child module call" in Terraform
Error: network is unreachable
How to fix "network is unreachable" in Terraform