Related ticket: https://github.com/google-github-actions/auth/issues/17 The `auth` GitHub Action from Google allows us to federate identity to a GCP service account without having to export account credentials. Currently this does not work with the terraform GCS backend. Raw `gcloud` works fine. ### Terraform Version ``` 1.0.7 Go runtime version: go1.16.4 ``` ### Terraform Configuration Files ```terraform terraform { backend "gcs" { bucket = "foo" } } ``` ### Debug Output ### Crash Output <!-- If the console output indicates that Terraform crashed, please share a link to a GitHub Gist containing the output of the `crash.log` file. --> ### Expected Behavior Terraform GCS backend working as usual. ### Actual Behavior ``` Error: Failed to get existing workspaces: querying Cloud Storage failed: Get "https://storage.googleapis.com/storage/v1/b/xxx-terraform-state/o?alt=json&delimiter=%2F&pageToken=&prefix=terraform%2Fstate%2F&prettyPrint=false&projection=full&versions=false": oauth2/google: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/terraform@xxx.iam.gserviceaccount.com:generateAccessToken": oauth2/google: status code 400: {"error":"invalid_target","error_description":"The target service indicated by the \"audience\" parameters is invalid. This might either be because the pool or provider is disabled or deleted or because it doesn't exist."} ``` ### Steps to Reproduce Create a GitHub Action: ```yaml jobs: test: permissions: contents: read id-token: 'write' runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - uses: hashicorp/setup-terraform@v1 - name: Authenticate to Google Cloud uses: google-github-actions/auth@v0.3.0 with: workload_identity_provider: projects/xxx/locations/global/workloadIdentityPools/main-pool/providers/github service_account: terraform@xxx.iam.gserviceaccount.com create_credentials_file: true activate_credentials_file: true - name: Terraform Init run: terraform init ```