Terraform init with gcs module using GOOGLE_OAUTH_ACCESS_TOKEN

Hi,

We are trying to secure CI/CD pipeline using HashiCorp Vault with the roleset "access_token" configuration (https://www.vaultproject.io/docs/secrets/gcp#examples) and in addition we would use modules published on GCS (https://www.terraform.io/docs/language/modules/sources.html#gcs-bucket)

After some tests, it seems that the provider (https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#access_token) is taking the access token correctly with the "apply" but not on the "init" phase to be able to download the module using the access token.

Terraform v1.0.4
on linux_amd64

module "custom" {
  source = "gcs::https://www.googleapis.com/storage/v1/bucketName/module.zip"
}

Initializing modules... Downloading gcs::https://www.googleapis.com/storage/v1/bucketName/module.zip for custom... 2021-08-10T13:50:06.749Z [INFO] CLI command args: []string{"init"} 2021-08-10T13:50:06.750Z [TRACE] ModuleInstaller: installing child modules for . into .terraform/modules 2021-08-10T13:50:06.750Z [DEBUG] Module installer: begin custom 2021-08-10T13:50:06.750Z [TRACE] ModuleInstaller: custom is not yet installed 2021-08-10T13:50:06.750Z [TRACE] ModuleInstaller: cleaning directory .terraform/modules/custom prior to install of custom 2021-08-10T13:50:06.750Z [TRACE] ModuleInstaller: custom address "gcs::https://www.googleapis.com/storage/v1/bucketName/module.zip" will be handled by go-getter 2021-08-10T13:50:06.750Z [DEBUG] will download "gcs::https://www.googleapis.com/storage/v1/bucketName/module.zip" to .terraform/modules/custom 2021-08-10T13:50:06.750Z [TRACE] fetching "gcs::https://www.googleapis.com/storage/v1/bucketName/module.zip" to ".terraform/modules/custom" 2021-08-10T13:50:06.781Z [TRACE] modsdir: writing modules manifest to .terraform/modules/modules.json ╷ │ Error: Failed to download module │ │ Could not download module "custom" (test.tf:1) source code from │ "gcs::https://www.googleapis.com/storage/v1/bucketName/module.zip": dialing: google: could not find default │ credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information. ╵

Be able to download gcs modules using GOOGLE_OAUTH_ACCESS_TOKEN

No use of the variable GOOGLE_OAUTH_ACCESS_TOKEN Works only with gcs module publicly available or using GOOGLE_APPLICATION_CREDENTIALS

docker run -it --entrypoint="sh" hashicorp/terraform:1.0.4
apk add --update --no-cache python3 bash curl
CLOUD_SDK_VERSION=351.0.0
wget https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz -P /&& \ tar xzf /google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz -C / && \ rm /google-cloud-sdk-${CLOUD_SDK_VERSION}-linux-x86_64.tar.gz
PATH=/google-cloud-sdk/bin:$PATH
export Google private key in local
gcloud auth activate-service-account --key-file=sa-privatekey.json
export GOOGLE_OAUTH_ACCESS_TOKEN=$(gcloud auth print-access-token) (https://cloud.google.com/sdk/gcloud/reference/auth/print-access-token)
Test the validity of your token
curl -H "Content-Type: application/x-www-form-urlencoded" -d "access_token=$GOOGLE_OAUTH_ACCESS_TOKEN" https://www.googleapis.com/oauth2/v1/tokeninfo
curl -X GET -H "Authorization: Bearer $GOOGLE_OAUTH_ACCESS_TOKEN" "https://www.googleapis.com/storage/v1/b/bucketName/o/module.zip"
terraform init

Many thanks in advance for your help.

hashicorp / terraform