diff --git a/backend/remote-state/gcs/backend.go b/backend/remote-state/gcs/backend.go index 41521bf34..750be3f2f 100644 --- a/backend/remote-state/gcs/backend.go +++ b/backend/remote-state/gcs/backend.go @@ -136,6 +136,8 @@ func (b *Backend) configure(ctx context.Context) error { }) } else if v, ok := data.GetOk("credentials"); ok { creds = v.(string) + } else if v := os.Getenv("GOOGLE_BACKEND_CREDENTIALS"); v != "" { + creds = v } else { creds = os.Getenv("GOOGLE_CREDENTIALS") } diff --git a/website/docs/backends/types/gcs.html.md b/website/docs/backends/types/gcs.html.md index 72226b6d3..d58c3278c 100644 --- a/website/docs/backends/types/gcs.html.md +++ b/website/docs/backends/types/gcs.html.md @@ -52,15 +52,27 @@ resource "template_file" "bar" { The following configuration options are supported: - * `bucket` - (Required) The name of the GCS bucket. - This name must be globally unique. - For more information, see [Bucket Naming Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements). - * `credentials` / `GOOGLE_CREDENTIALS` - (Optional) Local path to Google Cloud Platform account credentials in JSON format. - If unset, [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials) are used. - The provided credentials need to have the `devstorage.read_write` scope and `WRITER` permissions on the bucket. - * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained from - the Google Authorization server, i.e. the `Authorization: Bearer` token used to - authenticate HTTP requests to GCP APIs. This is an alternative to `credentials`. If both are specified, `access_token` will be used over the `credentials` field. - * `prefix` - (Optional) GCS prefix inside the bucket. Named states for workspaces are stored in an object called `/.tfstate`. - * `path` - (Deprecated) GCS path to the state file of the default state. For backwards compatibility only, use `prefix` instead. - * `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 encoded 'customer supplied encryption key' used to encrypt all state. For more information see [Customer Supplied Encryption Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied). + * `bucket` - (Required) The name of the GCS bucket. This name must be + globally unique. For more information, see [Bucket Naming + Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements). + * `credentials` / `GOOGLE_BACKEND_CREDENTIALS` / `GOOGLE_CREDENTIALS` - + (Optional) Local path to Google Cloud Platform account credentials in JSON + format. If unset, [Google Application Default + Credentials](https://developers.google.com/identity/protocols/application-default-credentials) + are used. The provided credentials need to have the + `devstorage.read_write` scope and `WRITER` permissions on the bucket. + **Warning**: if using the Google Cloud Platform provider as well, it will + also pick up the `GOOGLE_CREDENTIALS` environment variable. + * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained + from the Google Authorization server, i.e. the `Authorization: Bearer` token + used to authenticate HTTP requests to GCP APIs. This is an alternative to + `credentials`. If both are specified, `access_token` will be used over the + `credentials` field. + * `prefix` - (Optional) GCS prefix inside the bucket. Named states for + workspaces are stored in an object called `/.tfstate`. + * `path` - (Deprecated) GCS path to the state file of the default state. For + backwards compatibility only, use `prefix` instead. + * `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 + encoded 'customer supplied encryption key' used to encrypt all state. For + more information see [Customer Supplied Encryption + Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).