Merge pull request #23656 from hashicorp/paddy_gcs_backend_env_var

Add a backend-specific env var for the GCS backend.

backend/remote-state/gcs/backend.go

@@ -136,6 +136,8 @@ func (b *Backend) configure(ctx context.Context) error {
 		})
 	} else if v, ok := data.GetOk("credentials"); ok {
 		creds = v.(string)
+	} else if v := os.Getenv("GOOGLE_BACKEND_CREDENTIALS"); v != "" {
+		creds = v
 	} else {
 		creds = os.Getenv("GOOGLE_CREDENTIALS")
 	}

website/docs/backends/types/gcs.html.md

@@ -52,15 +52,27 @@ resource "template_file" "bar" {
 
 The following configuration options are supported:
 
- *  `bucket` - (Required) The name of the GCS bucket.
+ *  `bucket` - (Required) The name of the GCS bucket.  This name must be
-    This name must be globally unique.
+    globally unique.  For more information, see [Bucket Naming
-    For more information, see [Bucket Naming Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements).
+    Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements).
- *  `credentials` / `GOOGLE_CREDENTIALS` - (Optional) Local path to Google Cloud Platform account credentials in JSON format.
+ *  `credentials` / `GOOGLE_BACKEND_CREDENTIALS` / `GOOGLE_CREDENTIALS` -
-    If unset, [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) are used.
+    (Optional) Local path to Google Cloud Platform account credentials in JSON
-    The provided credentials need to have the `devstorage.read_write` scope and `WRITER` permissions on the bucket.
+    format.  If unset, [Google Application Default
- * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained from
+    Credentials](https://developers.google.com/identity/protocols/application-default-credentials)
-    the Google Authorization server, i.e. the `Authorization: Bearer` token used to
+    are used.  The provided credentials need to have the
-    authenticate HTTP requests to GCP APIs. This is an alternative to `credentials`. If both are specified, `access_token` will be used over the `credentials` field.
+    `devstorage.read_write` scope and `WRITER` permissions on the bucket.
- *  `prefix` - (Optional) GCS prefix inside the bucket. Named states for workspaces are stored in an object called `<prefix>/<name>.tfstate`.
+    **Warning**: if using the Google Cloud Platform provider as well, it will
- *  `path` - (Deprecated) GCS path to the state file of the default state. For backwards compatibility only, use `prefix` instead.
+    also pick up the `GOOGLE_CREDENTIALS` environment variable.
- *  `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state. For more information see [Customer Supplied Encryption Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).
+ * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained
+   from the Google Authorization server, i.e. the `Authorization: Bearer` token
+   used to authenticate HTTP requests to GCP APIs. This is an alternative to
+   `credentials`. If both are specified, `access_token` will be used over the
+   `credentials` field.
+ *  `prefix` - (Optional) GCS prefix inside the bucket. Named states for
+    workspaces are stored in an object called `<prefix>/<name>.tfstate`.
+ *  `path` - (Deprecated) GCS path to the state file of the default state. For
+    backwards compatibility only, use `prefix` instead.
+ *  `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64
+    encoded 'customer supplied encryption key' used to encrypt all state. For
+    more information see [Customer Supplied Encryption
+    Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).