Missing required GCS remote state configuration project since Terragrunt 0.44.2

[phgie]

Hey there, since updating to Terragrunt 0.44.2 we have problems with our GCS remote state configuration.

remote_state {
  backend = "gcs"
  generate = {
    path      = "backend.tf"
    if_exists = "overwrite_terragrunt"
  }
  config = {
    bucket = "<tf-state-bucket>"
    prefix = "terragrunt/${path_relative_to_include()}"

    impersonate_service_account = "${local.impersonate_service_account}"
  }
}

ERRO[0000] 1 error occurred:
        * Missing required GCS remote state configuration project

Reverting to 0.44.1 fixes the error.

The debug logs show terragrunt searching for the bucket but nothing changed on the remote end or at the authentication level. The only difference is the terragrunt version.

DEBU[0000] Initializing remote state for the gcs backend  prefix=[<...>] 
DEBU[0000] Remote state GCS bucket <tf-state-bucket> does not exist. Attempting to create it  prefix=[<...>] 

Were there any breaking changes regarding the GCS remote state configuration? I can see that 0.44.4 introduces new authentication method, but the error appears for 0.44.2 AND 0.44.4 but not for 0.44.1

Anything I can try on my side?

[phgie]

Further testing reveals that removing the service account impersonation also fixes the problem.

[cmeury]

We encountered a similar issue with Terragrunt 0.45.

ERRO[0000] Get "https://storage.googleapis.com/storage/v1/b/example-bucket?alt=json&prettyPrint=false&projection=full": impersonate: unable to generate access token: Post "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/terraform-state@example-project.iam.gserviceaccount.com:generateAccessToken": impersonate: status code 403: {
  "error": {
    "code": 403,
    "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "reason": "IAM_PERMISSION_DENIED",
        "domain": "iam.googleapis.com",
        "metadata": {
          "permission": "iam.serviceAccounts.getAccessToken"
        }
      }
    ]
  }
}

A downgrade to 0.44.1 helped.

[splichy]

It's probably caused by an update of the underlying dependency cloud.google.com/go/storage from v1.16.0 to v1.27.0 introduced by github.com/hashicorp/go-getter v1.6.2 => v1.7.0 #2454

[cmeury]

This PR was merged for the google-cloud-go/storage v1.27.0 release, that might be a starting point?

[phgie]

Any chance on this getting resolved? Service Account Impersonation with remote state configuration is just broken at the moment. :-(

[denis256]

Fix released in https://github.com/gruntwork-io/terragrunt/releases/tag/v0.50.6

[yinzara]

This doesn't seem to be actually fixed. I'm getting this error with the current version today. Unsetting my GOOGLE_APPLICATION_CREDENTIALS and just using my user account worked fine but as soon as I set GOOGLE_APPLICATION_CREDENTIALS to a service account key file, it gets this error again.

[erdia7]

@yinzara is correct. I am also still getting this error with the current version as well.

[yinzara]

Could we get this issue reopened?