diff --git a/backend/remote-state/gcs/backend.go b/backend/remote-state/gcs/backend.go index 4a488431c..41521bf34 100644 --- a/backend/remote-state/gcs/backend.go +++ b/backend/remote-state/gcs/backend.go @@ -14,6 +14,7 @@ import ( "github.com/hashicorp/terraform/helper/pathorcontents" "github.com/hashicorp/terraform/helper/schema" "github.com/hashicorp/terraform/httpclient" + "golang.org/x/oauth2" "golang.org/x/oauth2/jwt" "google.golang.org/api/option" ) @@ -65,6 +66,15 @@ func New() backend.Backend { Default: "", }, + "access_token": { + Type: schema.TypeString, + Optional: true, + DefaultFunc: schema.MultiEnvDefaultFunc([]string{ + "GOOGLE_OAUTH_ACCESS_TOKEN", + }, nil), + Description: "An OAuth2 token used for GCP authentication", + }, + "encryption_key": { Type: schema.TypeString, Optional: true, @@ -116,12 +126,23 @@ func (b *Backend) configure(ctx context.Context) error { var opts []option.ClientOption - creds := data.Get("credentials").(string) - if creds == "" { + // Add credential source + var creds string + var tokenSource oauth2.TokenSource + + if v, ok := data.GetOk("access_token"); ok { + tokenSource = oauth2.StaticTokenSource(&oauth2.Token{ + AccessToken: v.(string), + }) + } else if v, ok := data.GetOk("credentials"); ok { + creds = v.(string) + } else { creds = os.Getenv("GOOGLE_CREDENTIALS") } - if creds != "" { + if tokenSource != nil { + opts = append(opts, option.WithTokenSource(tokenSource)) + } else if creds != "" { var account accountFile // to mirror how the provider works, we accept the file path or the contents diff --git a/website/docs/backends/types/gcs.html.md b/website/docs/backends/types/gcs.html.md index 25d5b34c9..72226b6d3 100644 --- a/website/docs/backends/types/gcs.html.md +++ b/website/docs/backends/types/gcs.html.md @@ -58,6 +58,9 @@ The following configuration options are supported: * `credentials` / `GOOGLE_CREDENTIALS` - (Optional) Local path to Google Cloud Platform account credentials in JSON format. If unset, [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) are used. The provided credentials need to have the `devstorage.read_write` scope and `WRITER` permissions on the bucket. + * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained from + the Google Authorization server, i.e. the `Authorization: Bearer` token used to + authenticate HTTP requests to GCP APIs. This is an alternative to `credentials`. If both are specified, `access_token` will be used over the `credentials` field. * `prefix` - (Optional) GCS prefix inside the bucket. Named states for workspaces are stored in an object called `/.tfstate`. * `path` - (Deprecated) GCS path to the state file of the default state. For backwards compatibility only, use `prefix` instead. * `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state. For more information see [Customer Supplied Encryption Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).