IAM Changes to buckets are [eventually consistent](https://cloud.google.com/storage/docs/consistency#eventually_consistent_operations) and may take upto a few minutes to take effect. Terraform will return 403 errors till it is eventually consistent.
### Running Terraform on your workstation.
If you are using terraform on your workstation, you will need to install the Google Cloud SDK and authenticate using [User Application Default
User ADCs do [expire](https://developers.google.com/identity/protocols/oauth2#expiration) and you can refresh them by running `gcloud auth application-default login`.
### Running Terraform on Google Cloud
If you are running terraform on Google Cloud, you can configure that instance or cluster to use a [Google Service
Account](https://cloud.google.com/compute/docs/authentication). This will allow Terraform to authenticate to Google Cloud without having to bake in a separate
credential/authentication file. Make sure that the scope of the VM/Cluster is set to cloud-platform.
If you are running terraform outside of Google Cloud, generate a service account key and set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to
the path of the service account key. Terraform will use that key for authentication.
### Impersonating Service Accounts
Terraform can impersonate a Google Service Account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials). A valid credential must be provided as mentioned in the earlier section and that identity must have the `roles/iam.serviceAccountTokenCreator` role on the service account you are impersonating.
are used. The provided credentials must have Storage Object Admin role on the bucket.
**Warning**: if using the Google Cloud Platform provider as well, it will
also pick up the `GOOGLE_CREDENTIALS` environment variable.
*`impersonate_service_account` - (Optional) The service account to impersonate for accessing the State Bucket.
You must have `roles/iam.serviceAccountTokenCreator` role on that account for the impersonation to succeed.
If you are using a delegation chain, you can specify that using the `impersonate_service_account_delegates` field.
Alternatively, this can be specified using the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment
variable.
*`impersonate_service_account_delegates` - (Optional) The delegation chain for an impersonating a service account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated).
*`access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained
from the Google Authorization server, i.e. the `Authorization: Bearer` token
used to authenticate HTTP requests to GCP APIs. This is an alternative to
`credentials`. If both are specified, `access_token` will be used over the
`credentials` field.
*`prefix` - (Optional) GCS prefix inside the bucket. Named states for
workspaces are stored in an object called `<prefix>/<name>.tfstate`.
*`encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64
encoded 'customer supplied encryption key' used to encrypt all state. For
more information see [Customer Supplied Encryption