» Google Provider Configuration Reference

Want more information about upgrading from 1.X of the provider to 2.0.0? Check out the 2.0.0 Upgrade Guide.

The google and google-beta provider blocks are used to configure the credentials you use to authenticate with GCP, as well as a default project and location (zone and/or region) for your resources.

» Example Usage - Basic provider blocks

provider "google" {
  credentials = "${file("account.json")}"
  project     = "my-project-id"
  region      = "us-central1"
  zone        = "us-central1-c"
}

provider "google-beta" {
  credentials = "${file("account.json")}"
  project     = "my-project-id"
  region      = "us-central1"
  zone        = "us-central1-c"
}

» Example Usage - Using beta features with `google-beta`

To use Google Cloud Platform features that are in beta, you need to both:

Explicitly define a google-beta provider block
explicitly set the provider for your resource to google-beta.

See Provider Versions for a full reference on how to use features from different GCP API versions in the Google provider.

resource "google_compute_instance" "ga-instance" {
  provider = "google"

  # ...
}

resource "google_compute_instance" "beta-instance" {
  provider = "google-beta"

  # ...
}

provider "google-beta" {}

» Configuration Reference

The following attributes can be used to configure the provider. The quick reference should be sufficient for most use cases, but see the full reference if you're interested in more details. Both google and google-beta share the same configuration.

» Quick Reference

credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console.
project - (Optional) The default project to manage resources in. If another project is specified on a resource, it will take precedence.
region - (Optional) The default region to manage resources in. If another region is specified on a regional resource, it will take precedence.
zone - (Optional) The default zone to manage resources in. Generally, this zone should be within the default region you specified. If another zone is specified on a zonal resource, it will take precedence.

scopes - (Optional) The list of OAuth 2.0 scopes requested when generating an access token using the service account key specified in credentials.
access_token - (Optional) A temporary OAuth 2.0 access token obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. This is an alternative to credentials, and ignores the scopes field. If both are specified, access_token will be used over the credentials field.

» Full Reference

credentials - (Optional) Either the path to or the contents of a service account key file in JSON format. You can manage key files using the Cloud Console. Your service account key file is used to complete a two-legged OAuth 2.0 flow to obtain access tokens to authenticate with the GCP API as needed; Terraform will use it to reauthenticate automatically when tokens expire. Alternatively, this can be specified using the GOOGLE_CREDENTIALS environment variable or any of the following ordered by precedence.
- GOOGLE_CREDENTIALS
- GOOGLE_CLOUD_KEYFILE_JSON
- GCLOUD_KEYFILE_JSON
Using Terraform-specific service accounts to authenticate with GCP is the recommended practice when using Terraform. If no Terraform-specific credentials are specified, the provider will fall back to using Google Application Default Credentials. To use them, you can enter the path of your service account key file in the GOOGLE_APPLICATION_CREDENTIALS environment variable, or configure authentication through one of the following;
If you're running Terraform from a GCE instance, default credentials are automatically available. See Creating and Enabling Service Accounts for Instances for more details.
On your computer, you can make your Google identity available by running gcloud auth application-default login. This approach isn't recommended- some APIs are not compatible with credentials obtained through gcloud.

project - (Optional) The default project to manage resources in. If another project is specified on a resource, it will take precedence. This can also be specified using the GOOGLE_PROJECT environment variable, or any of the following ordered by precedence.
- GOOGLE_PROJECT
- GOOGLE_CLOUD_PROJECT
- GCLOUD_PROJECT
- CLOUDSDK_CORE_PROJECT

region - (Optional) The default region to manage resources in. If another region is specified on a regional resource, it will take precedence. Alternatively, this can be specified using the GOOGLE_REGION environment variable or any of the following ordered by precedence.
- GOOGLE_REGION
- GCLOUD_REGION
- CLOUDSDK_COMPUTE_REGION

zone - (Optional) The default zone to manage resources in. Generally, this zone should be within the default region you specified. If another zone is specified on a zonal resource, it will take precedence. Alternatively, this can be specified using the GOOGLE_ZONE environment variable or any of the following ordered by precedence.
- GOOGLE_ZONE
- GCLOUD_ZONE
- CLOUDSDK_COMPUTE_ZONE

access_token - (Optional) A temporary OAuth 2.0 access token obtained from the Google Authorization server, i.e. the Authorization: Bearer token used to authenticate HTTP requests to GCP APIs. If both are specified, access_token will be used over the credentials field. This is an alternative to credentials, and ignores the scopes field. Alternatively, this can be specified using the GOOGLE_OAUTH_ACCESS_TOKEN environment variable.

These access tokens cannot be renewed by Terraform and thus will only work until they expire. If you anticipate Terraform needing access for longer than a token's lifetime (default 1 hour), please use a service account key with credentials instead.