Terraform google "Error validating provider credentials" (GCP) in CI
The google provider received a credential -- a key file, access token, or impersonated SA -- but Google rejected it as invalid, malformed, or expired.
What this error means
plan/apply fails validating the google provider credentials: an invalid_grant, malformed key, or expired token. Unlike a missing-ADC error, a credential was present but Google would not accept it.
Error: Error validating provider credentials: googleapi: Error 400:
Invalid grant: account not found, invalidGrant
Error: invalid character '-' looking for beginning of valueCommon causes
Malformed or truncated key
A JSON key passed through a secret that mangled newlines, or a base64 value not decoded, produces an unparseable credential.
Expired token or deleted/disabled service account
A short-lived access token has expired, or the service account was disabled or deleted, so Google returns invalid_grant.
How to fix it
Supply a clean, decoded credential
Write the key to a file with intact formatting and point the provider at it via GOOGLE_APPLICATION_CREDENTIALS, or prefer Workload Identity Federation.
echo "${GCP_SA_KEY_B64}" | base64 -d > /tmp/gcp-key.json
export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp-key.json
terraform plan -input=falseConfirm the identity is valid
- Verify the service account still exists and is enabled.
- Regenerate the key if it was deleted or rotated.
- For federation, confirm the provider attribute condition matches the CI token.
How to prevent it
- Prefer Workload Identity Federation over downloaded JSON keys.
- Base64-encode key material in secrets to preserve formatting.
- Rotate and verify service-account keys before they expire.