-
-
Notifications
You must be signed in to change notification settings - Fork 966
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GCS bucket creation fails when service account impersonation is performed from another service account #1997
Comments
Looks like we need to upgrade to |
any update on this? |
@pansarshrek faced exactly the same issue when setting up Atlantis. Was hitting the wall for few weeks. Great if this is as simple as upgrading the impersonate package! |
@denis256 Any input on this please? |
Hi, |
@denis256 how is your dela going? |
Hi, I created this WIP PR #2052. |
Hello, I'm encountering the same problem. Is there any workaround for this? Using the same set-up with a remote GCS state bucket, and the CI SA impersonating the TF SA to access the state bucket. |
Fix relaesed in https://github.com/gruntwork-io/terragrunt/releases/tag/v0.50.6 |
Hi,
I'm trying to use Terragrunt on GCP with a GCS based remote backend for the Terraform state. We use a setup with service account impersonation to do our deploys. We have one service account with an access key that authenticates and then impersonates a second service account that has access to the different required Google APIs.
The Terragrunt remote config looks like this:
When running Terraform we run into the following error, Terragrunt fails to auto initialize the GCS bucket:
Terragrunt and Terraform versions:
I also tested terragrunt version v0.36.0, with same result.
If we reconfigure the remote to skip bucket creation and versioning and instead create the bucket manually everything works and Terraform can access GCP using SA impersonation without any problems.
I did some digging around and it seems like a similar problem was discovered some time ago in the Terraform project (hashicorp/terraform#28139) but it has now been resolved by replacing one of the libraries (cloud.google.com/go/storage) used for communicating with GCP APIs. It looks like Terragrunt is still using the cloud.google.com/go/storage library (https://github.com/gruntwork-io/terragrunt/blob/master/go.mod#L7), so that makes me think that's the root cause of the issue I'm encountering.
The text was updated successfully, but these errors were encountered: