Skip to content
Latchkey

Terraform google "Error validating provider credentials" (GCP) in CI

The google provider received a credential -- a key file, access token, or impersonated SA -- but Google rejected it as invalid, malformed, or expired.

What this error means

plan/apply fails validating the google provider credentials: an invalid_grant, malformed key, or expired token. Unlike a missing-ADC error, a credential was present but Google would not accept it.

terraform
Error: Error validating provider credentials: googleapi: Error 400:
Invalid grant: account not found, invalidGrant

Error: invalid character '-' looking for beginning of value

Common causes

Malformed or truncated key

A JSON key passed through a secret that mangled newlines, or a base64 value not decoded, produces an unparseable credential.

Expired token or deleted/disabled service account

A short-lived access token has expired, or the service account was disabled or deleted, so Google returns invalid_grant.

How to fix it

Supply a clean, decoded credential

Write the key to a file with intact formatting and point the provider at it via GOOGLE_APPLICATION_CREDENTIALS, or prefer Workload Identity Federation.

.github/workflows/ci.yml
echo "${GCP_SA_KEY_B64}" | base64 -d > /tmp/gcp-key.json
export GOOGLE_APPLICATION_CREDENTIALS=/tmp/gcp-key.json
terraform plan -input=false

Confirm the identity is valid

  1. Verify the service account still exists and is enabled.
  2. Regenerate the key if it was deleted or rotated.
  3. For federation, confirm the provider attribute condition matches the CI token.

How to prevent it

  • Prefer Workload Identity Federation over downloaded JSON keys.
  • Base64-encode key material in secrets to preserve formatting.
  • Rotate and verify service-account keys before they expire.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →