terraform/website/docs/language/settings/backends/gcs.html.md

---
layout: "language"
page_title: "Backend Type: gcs"
sidebar_current: "docs-backends-types-standard-gcs"
description: |-
  Terraform can store the state remotely, making it easier to version and work with in a team.
---

# gcs

**Kind: Standard (with locking)**

Stores the state as an object in a configurable prefix in a pre-existing bucket on [Google Cloud Storage](https://cloud.google.com/storage/) (GCS).
This backend also supports [state locking](/docs/language/state/locking.html). The bucket must exist prior to configuring the backend.

~> **Warning!** It is highly recommended that you enable
[Object Versioning](https://cloud.google.com/storage/docs/object-versioning)
on the GCS bucket to allow for state recovery in the case of accidental deletions and human error.

## Example Configuration

```hcl
terraform {
  backend "gcs" {
    bucket  = "tf-state-prod"
    prefix  = "terraform/state"
  }
}
```

## Data Source Configuration

```hcl
data "terraform_remote_state" "foo" {
  backend = "gcs"
  config = {
    bucket  = "terraform-state"
    prefix  = "prod"
  }
}

resource "template_file" "bar" {
  template = "${greeting}"

  vars {
    greeting = "${data.terraform_remote_state.foo.greeting}"
  }
}
```

## Authentication

IAM Changes to buckets are [eventually consistent](https://cloud.google.com/storage/docs/consistency#eventually_consistent_operations) and may take upto a few minutes to take effect. Terraform will return 403 errors till it is eventually consistent.

### Running Terraform on your workstation.

If you are using terraform on your workstation, you will need to install the Google Cloud SDK and authenticate using [User Application Default
Credentials](https://cloud.google.com/sdk/gcloud/reference/auth/application-default).

User ADCs do [expire](https://developers.google.com/identity/protocols/oauth2#expiration) and you can refresh them by running `gcloud auth application-default login`.

### Running Terraform on Google Cloud

If you are running terraform on Google Cloud, you can configure that instance or cluster to use a [Google Service
Account](https://cloud.google.com/compute/docs/authentication). This will allow Terraform to authenticate to Google Cloud without having to bake in a separate
credential/authentication file. Make sure that the scope of the VM/Cluster is set to cloud-platform.

### Running Terraform outside of Google Cloud

If you are running terraform outside of Google Cloud, generate a service account key and set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to
the path of the service account key. Terraform will use that key for authentication.

### Impersonating Service Accounts

Terraform can impersonate a Google Service Account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials). A valid credential must be provided as mentioned in the earlier section and that identity must have the `roles/iam.serviceAccountTokenCreator` role on the service account you are impersonating.

## Configuration variables

The following configuration options are supported:

 *  `bucket` - (Required) The name of the GCS bucket.  This name must be
    globally unique.  For more information, see [Bucket Naming
    Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements).
 *  `credentials` / `GOOGLE_BACKEND_CREDENTIALS` / `GOOGLE_CREDENTIALS` -
    (Optional) Local path to Google Cloud Platform account credentials in JSON
    format.  If unset, [Google Application Default
    Credentials](https://developers.google.com/identity/protocols/application-default-credentials)
    are used.  The provided credentials must have Storage Object Admin role on the bucket.
    **Warning**: if using the Google Cloud Platform provider as well, it will
    also pick up the `GOOGLE_CREDENTIALS` environment variable.
 * `impersonate_service_account` - (Optional) The service account to impersonate for accessing the State Bucket.
    You must have `roles/iam.serviceAccountTokenCreator` role on that account for the impersonation to succeed. 
    If you are using a delegation chain, you can specify that using the `impersonate_service_account_delegates` field.
    Alternatively, this can be specified using the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment
    variable.
 * `impersonate_service_account_delegates` - (Optional) The delegation chain for an impersonating a service account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated).
 * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained
   from the Google Authorization server, i.e. the `Authorization: Bearer` token
   used to authenticate HTTP requests to GCP APIs. This is an alternative to
   `credentials`. If both are specified, `access_token` will be used over the
   `credentials` field.
 *  `prefix` - (Optional) GCS prefix inside the bucket. Named states for
    workspaces are stored in an object called `<prefix>/<name>.tfstate`.
 *  `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64
    encoded 'customer supplied encryption key' used to encrypt all state. For
    more information see [Customer Supplied Encryption
    Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).
website: working on backend types 2017-02-15 19:47:30 +01:00			`---`
website: Adopt a ton of pages into the "language" layout As of this commit, that layout doesn't exist yet, but I'm isolating the one-line changes to their own commit to try and keep your eyes from glazing over. 2020-08-15 03:51:06 +02:00			`layout: "language"`
website: document backend types 2017-02-15 21:19:38 +01:00			`page_title: "Backend Type: gcs"`
			`sidebar_current: "docs-backends-types-standard-gcs"`
website: working on backend types 2017-02-15 19:47:30 +01:00			`description: \|-`
			`Terraform can store the state remotely, making it easier to version and work with in a team.`
			`---`

			`# gcs`

backend/remote-state/gcs: Document the "prefix" option. "state_dir" has been renamed to "prefix" to better fix the GCS terminology. 2017-09-11 08:25:42 +02:00			`Kind: Standard (with locking)`
website: working on backend types 2017-02-15 19:47:30 +01:00
Clear wording that bucket must pre-exist (#26276) Experienced similar issue as https://github.com/hashicorp/terraform/issues/18417 this updates the documentation so that it's more clear a storage bucket must exist prior to configuring the backend. 2020-10-22 18:35:02 +02:00			`Stores the state as an object in a configurable prefix in a pre-existing bucket on [Google Cloud Storage](https://cloud.google.com/storage/) (GCS).`
website: Language: Update links to moved pages 2021-01-15 23:13:53 +01:00			`This backend also supports [state locking](/docs/language/state/locking.html). The bucket must exist prior to configuring the backend.`
backend/gcs: Mark the unused attributes project and region as removed. These two attributes are not used since https://github.com/hashicorp/terraform/commit/aec45e696701b4aa09958b5e683831b293d6a85e. 2018-11-05 13:49:33 +01:00
			`~> Warning! It is highly recommended that you enable`
			`[Object Versioning](https://cloud.google.com/storage/docs/object-versioning)`
			`on the GCS bucket to allow for state recovery in the case of accidental deletions and human error.`
website: working on backend types 2017-02-15 19:47:30 +01:00
website: document backend types 2017-02-15 21:19:38 +01:00			`## Example Configuration`
website: working on backend types 2017-02-15 19:47:30 +01:00
Add HCL syntax highlighting for everything but providers 2017-04-05 17:29:27 +02:00			```hcl
website: document backend types 2017-02-15 21:19:38 +01:00			`terraform {`
			`backend "gcs" {`
backend/remote-state/gcs: Document the "prefix" option. "state_dir" has been renamed to "prefix" to better fix the GCS terminology. 2017-09-11 08:25:42 +02:00			`bucket = "tf-state-prod"`
			`prefix = "terraform/state"`
website: document backend types 2017-02-15 21:19:38 +01:00			`}`
			`}`
website: working on backend types 2017-02-15 19:47:30 +01:00			```

website: Label backend data source examples as "data source configuration" "Example referencing" was ambiguous and confusing, especially since these sections don't show how to reference an output in an expression. 2020-02-19 01:40:14 +01:00			`## Data Source Configuration`
website: working on backend types 2017-02-15 19:47:30 +01:00
			```hcl
			`data "terraform_remote_state" "foo" {`
Add HCL syntax highlighting for everything but providers 2017-04-05 17:29:27 +02:00			`backend = "gcs"`
website: update terraform_remote_state syntax in backend docs 2018-10-29 17:22:21 +01:00			`config = {`
backend/remote-state/gcs: Document the "prefix" option. "state_dir" has been renamed to "prefix" to better fix the GCS terminology. 2017-09-11 08:25:42 +02:00			`bucket = "terraform-state"`
			`prefix = "prod"`
Add HCL syntax highlighting for everything but providers 2017-04-05 17:29:27 +02:00			`}`
website: working on backend types 2017-02-15 19:47:30 +01:00			`}`

			`resource "template_file" "bar" {`
			`template = "${greeting}"`

			`vars {`
			`greeting = "${data.terraform_remote_state.foo.greeting}"`
			`}`
			`}`
			```

backend: Add service account impersonation to GCS Backend and update the docs (#26700) 2020-11-06 15:06:07 +01:00			`## Authentication`

			`IAM Changes to buckets are [eventually consistent](https://cloud.google.com/storage/docs/consistency#eventually_consistent_operations) and may take upto a few minutes to take effect. Terraform will return 403 errors till it is eventually consistent.`

			`### Running Terraform on your workstation.`

			`If you are using terraform on your workstation, you will need to install the Google Cloud SDK and authenticate using [User Application Default`
			`Credentials](https://cloud.google.com/sdk/gcloud/reference/auth/application-default).`

			User ADCs do [expire](https://developers.google.com/identity/protocols/oauth2#expiration) and you can refresh them by running `gcloud auth application-default login`.

			`### Running Terraform on Google Cloud`

			`If you are running terraform on Google Cloud, you can configure that instance or cluster to use a [Google Service`
			`Account](https://cloud.google.com/compute/docs/authentication). This will allow Terraform to authenticate to Google Cloud without having to bake in a separate`
			`credential/authentication file. Make sure that the scope of the VM/Cluster is set to cloud-platform.`

			`### Running Terraform outside of Google Cloud`

Update gcs.html.md Just a typo 2021-01-07 12:21:29 +01:00			If you are running terraform outside of Google Cloud, generate a service account key and set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to
backend: Add service account impersonation to GCS Backend and update the docs (#26700) 2020-11-06 15:06:07 +01:00			`the path of the service account key. Terraform will use that key for authentication.`

			`### Impersonating Service Accounts`

			Terraform can impersonate a Google Service Account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials). A valid credential must be provided as mentioned in the earlier section and that identity must have the `roles/iam.serviceAccountTokenCreator` role on the service account you are impersonating.

website: working on backend types 2017-02-15 19:47:30 +01:00			`## Configuration variables`

			`The following configuration options are supported:`

Add a backend-specific env var for the GCS backend. Right now, the only environment variable available is the same environment variable that will be picked up by the GCP provider. Users would like to be able to store state in separate projects or accounts or otherwise authenticate to the provider with a service account that doesn't have access to the state. This seems like a reasonable enough practice to me, and the solution seems straightforward--offer an environment variable that doesn't mean anything to the provider to configure the backend credentials. I've added GOOGLE_BACKEND_CREDENTIALS to manage just the backend credentials, and documented it appropriately. 2019-12-12 12:35:39 +01:00			* `bucket` - (Required) The name of the GCS bucket. This name must be
			`globally unique. For more information, see [Bucket Naming`
			`Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements).`
			* `credentials` / `GOOGLE_BACKEND_CREDENTIALS` / `GOOGLE_CREDENTIALS` -
			`(Optional) Local path to Google Cloud Platform account credentials in JSON`
			`format. If unset, [Google Application Default`
			`Credentials](https://developers.google.com/identity/protocols/application-default-credentials)`
backend: Add service account impersonation to GCS Backend and update the docs (#26700) 2020-11-06 15:06:07 +01:00			`are used. The provided credentials must have Storage Object Admin role on the bucket.`
Add a backend-specific env var for the GCS backend. Right now, the only environment variable available is the same environment variable that will be picked up by the GCP provider. Users would like to be able to store state in separate projects or accounts or otherwise authenticate to the provider with a service account that doesn't have access to the state. This seems like a reasonable enough practice to me, and the solution seems straightforward--offer an environment variable that doesn't mean anything to the provider to configure the backend credentials. I've added GOOGLE_BACKEND_CREDENTIALS to manage just the backend credentials, and documented it appropriately. 2019-12-12 12:35:39 +01:00			`Warning: if using the Google Cloud Platform provider as well, it will`
			also pick up the `GOOGLE_CREDENTIALS` environment variable.
backend: Add service account impersonation to GCS Backend and update the docs (#26700) 2020-11-06 15:06:07 +01:00			* `impersonate_service_account` - (Optional) The service account to impersonate for accessing the State Bucket.
			You must have `roles/iam.serviceAccountTokenCreator` role on that account for the impersonation to succeed.
			If you are using a delegation chain, you can specify that using the `impersonate_service_account_delegates` field.
			Alternatively, this can be specified using the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment
			`variable.`
			* `impersonate_service_account_delegates` - (Optional) The delegation chain for an impersonating a service account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated).
Add a backend-specific env var for the GCS backend. Right now, the only environment variable available is the same environment variable that will be picked up by the GCP provider. Users would like to be able to store state in separate projects or accounts or otherwise authenticate to the provider with a service account that doesn't have access to the state. This seems like a reasonable enough practice to me, and the solution seems straightforward--offer an environment variable that doesn't mean anything to the provider to configure the backend credentials. I've added GOOGLE_BACKEND_CREDENTIALS to manage just the backend credentials, and documented it appropriately. 2019-12-12 12:35:39 +01:00			* `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained
			from the Google Authorization server, i.e. the `Authorization: Bearer` token
			`used to authenticate HTTP requests to GCP APIs. This is an alternative to`
			`credentials`. If both are specified, `access_token` will be used over the
			`credentials` field.
			* `prefix` - (Optional) GCS prefix inside the bucket. Named states for
			workspaces are stored in an object called `<prefix>/<name>.tfstate`.
			* `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64
			`encoded 'customer supplied encryption key' used to encrypt all state. For`
			`more information see [Customer Supplied Encryption`
			`Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).`