github.com/muratcelep/terraform@v1.1.0-beta2-not-internal-4/website/docs/language/settings/backends/gcs.html.md (about) 1 --- 2 layout: "language" 3 page_title: "Backend Type: gcs" 4 sidebar_current: "docs-backends-types-standard-gcs" 5 description: |- 6 Terraform can store the state remotely, making it easier to version and work with in a team. 7 --- 8 9 # gcs 10 11 **Kind: Standard (with locking)** 12 13 Stores the state as an object in a configurable prefix in a pre-existing bucket on [Google Cloud Storage](https://cloud.google.com/storage/) (GCS). 14 This backend also supports [state locking](/docs/language/state/locking.html). The bucket must exist prior to configuring the backend. 15 16 ~> **Warning!** It is highly recommended that you enable 17 [Object Versioning](https://cloud.google.com/storage/docs/object-versioning) 18 on the GCS bucket to allow for state recovery in the case of accidental deletions and human error. 19 20 ## Example Configuration 21 22 ```hcl 23 terraform { 24 backend "gcs" { 25 bucket = "tf-state-prod" 26 prefix = "terraform/state" 27 } 28 } 29 ``` 30 31 ## Data Source Configuration 32 33 ```hcl 34 data "terraform_remote_state" "foo" { 35 backend = "gcs" 36 config = { 37 bucket = "terraform-state" 38 prefix = "prod" 39 } 40 } 41 42 resource "template_file" "bar" { 43 template = "${greeting}" 44 45 vars { 46 greeting = "${data.terraform_remote_state.foo.greeting}" 47 } 48 } 49 ``` 50 51 ## Authentication 52 53 IAM Changes to buckets are [eventually consistent](https://cloud.google.com/storage/docs/consistency#eventually_consistent_operations) and may take upto a few minutes to take effect. Terraform will return 403 errors till it is eventually consistent. 54 55 ### Running Terraform on your workstation. 56 57 If you are using terraform on your workstation, you will need to install the Google Cloud SDK and authenticate using [User Application Default 58 Credentials](https://cloud.google.com/sdk/gcloud/reference/auth/application-default). 59 60 User ADCs do [expire](https://developers.google.com/identity/protocols/oauth2#expiration) and you can refresh them by running `gcloud auth application-default login`. 61 62 ### Running Terraform on Google Cloud 63 64 If you are running terraform on Google Cloud, you can configure that instance or cluster to use a [Google Service 65 Account](https://cloud.google.com/compute/docs/authentication). This will allow Terraform to authenticate to Google Cloud without having to bake in a separate 66 credential/authentication file. Make sure that the scope of the VM/Cluster is set to cloud-platform. 67 68 ### Running Terraform outside of Google Cloud 69 70 If you are running terraform outside of Google Cloud, generate a service account key and set the `GOOGLE_APPLICATION_CREDENTIALS` environment variable to 71 the path of the service account key. Terraform will use that key for authentication. 72 73 ### Impersonating Service Accounts 74 75 Terraform can impersonate a Google Service Account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials). A valid credential must be provided as mentioned in the earlier section and that identity must have the `roles/iam.serviceAccountTokenCreator` role on the service account you are impersonating. 76 77 ## Configuration variables 78 79 The following configuration options are supported: 80 81 * `bucket` - (Required) The name of the GCS bucket. This name must be 82 globally unique. For more information, see [Bucket Naming 83 Guidelines](https://cloud.google.com/storage/docs/bucketnaming.html#requirements). 84 * `credentials` / `GOOGLE_BACKEND_CREDENTIALS` / `GOOGLE_CREDENTIALS` - 85 (Optional) Local path to Google Cloud Platform account credentials in JSON 86 format. If unset, [Google Application Default 87 Credentials](https://developers.google.com/identity/protocols/application-default-credentials) 88 are used. The provided credentials must have Storage Object Admin role on the bucket. 89 **Warning**: if using the Google Cloud Platform provider as well, it will 90 also pick up the `GOOGLE_CREDENTIALS` environment variable. 91 * `impersonate_service_account` - (Optional) The service account to impersonate for accessing the State Bucket. 92 You must have `roles/iam.serviceAccountTokenCreator` role on that account for the impersonation to succeed. 93 If you are using a delegation chain, you can specify that using the `impersonate_service_account_delegates` field. 94 Alternatively, this can be specified using the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment 95 variable. 96 * `impersonate_service_account_delegates` - (Optional) The delegation chain for an impersonating a service account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated). 97 * `access_token` - (Optional) A temporary [OAuth 2.0 access token] obtained 98 from the Google Authorization server, i.e. the `Authorization: Bearer` token 99 used to authenticate HTTP requests to GCP APIs. This is an alternative to 100 `credentials`. If both are specified, `access_token` will be used over the 101 `credentials` field. 102 * `prefix` - (Optional) GCS prefix inside the bucket. Named states for 103 workspaces are stored in an object called `<prefix>/<name>.tfstate`. 104 * `encryption_key` / `GOOGLE_ENCRYPTION_KEY` - (Optional) A 32 byte base64 105 encoded 'customer supplied encryption key' used to encrypt all state. For 106 more information see [Customer Supplied Encryption 107 Keys](https://cloud.google.com/storage/docs/encryption#customer-supplied).