Additional documentation about how to easily get started with credentials in the provider.

.changelog/3740.txt

@@ -0,0 +1,3 @@
+```release-note:none
+
+```

google/config.go

@@ -746,7 +746,7 @@ func (c *Config) GetCredentials(clientScopes []string) (googleoauth.Credentials,
 
 	defaultTS, err := googleoauth.DefaultTokenSource(context.Background(), clientScopes...)
 	if err != nil {
-		return googleoauth.Credentials{}, fmt.Errorf("Error loading Default TokenSource: %s", err)
+		return googleoauth.Credentials{}, fmt.Errorf("Attempted to load application default credentials since neither `credentials` nor `access_token` was set in the provider block.  No credentials loaded. To use your gcloud credentials, run 'gcloud auth application-default login'.  Original error: %w", err)
 	}
 	return googleoauth.Credentials{
 		TokenSource: defaultTS,

website/docs/guides/getting_started.html.markdown

@@ -20,7 +20,15 @@ provider.
 
 ## Configuring the Provider
 
-First create a Terraform config file named `"main.tf"`. Inside, you'll
+First, authenticate with GCP.  The easiest way to do this is to run
+`gcloud auth application-default login`, if you already have gcloud
+installed.  If you don't already have it, gcloud can be installed with
+`apt-get install google-cloud-sdk` on Debian-based machines.  For a
+production use-case, you will want to use service account authentication,
+which you can learn about further down in this doc, but for experimenting,
+gcloud authentication will work fine.
+
+Next, create a Terraform config file named `"main.tf"`. Inside, you'll
 want to include the following configuration:
 
 ```hcl
@@ -45,7 +53,7 @@ Not all resources require a location. Some GCP resources are global and are
 automatically spread across all of GCP.
 
 -> Want to try out another location? Check out the [list of available regions and zones](https://cloud.google.com/compute/docs/regions-zones/#available).
-Instances created in zones outside the US are not part of the always free tier
+Instances created in zones outside the US are not necessarily part of the always free tier
 and could incur charges.
 
 ## Creating a VM instance
@@ -168,6 +176,11 @@ You supply the key to Terraform using the environment variable
 export GOOGLE_APPLICATION_CREDENTIALS={{path}}
 ```
 
+If you choose to use `gcloud`-generated credentials, and you encounter
+quota or billing issues which don't seem to apply to you, you may want to set
+`user_project_override` to `true` in the provider block - see the
+[provider reference](/docs/providers/google/guides/provider_reference.html) for more information.
+
 -> Remember to add this line to a startup file such as `bash_profile` or
 `bashrc` to store your credentials across sessions!
 

website/docs/guides/provider_reference.html.markdown

@@ -74,7 +74,12 @@ same configuration.
 
 * `credentials` - (Optional) Either the path to or the contents of a
 [service account key file] in JSON format. You can
-[manage key files using the Cloud Console].
+[manage key files using the Cloud Console].  If not provided, the
+application default credentials will be used.  You can configure
+Application Default Credentials on your personal machine by
+running `gcloud auth application-default login`. If
+terraform is running on a GCP machine, and this value is unset,
+it will automatically use that machine's configured service account.
 
 * `project` - (Optional) The default project to manage resources in. If another
 project is specified on a resource, it will take precedence.