Add OAuth2 token support for GCS backend

[luis-silva]

This PR aims to provide the functionality requested in issue #21680. The code was mostly inspired by what is already done in the GCP provider

I ran the following acceptance tests to validate correct operation:

• Confirm that no default credentials are set and therefore the requests should fail:

$ TF_ACC=1   GOOGLE_PROJECT=YYYY   go test -timeout=2m -parallel=4 ./backend/remote-state/gcs                                                             
--- FAIL: TestRemoteClientWithEncryption (0.00s)    backend_test.go:80: --- FAIL: TestBackend (0.00s)
    backend_test.go:134: TestBackendConfig on *gcs.Backend with configs.synthBody{Filename:"<TestWrapConfig>", Values:map[string]cty.Value{"bucket":cty.StringVal("tf-15a94aedb5a96e40-testbackend"), "encryption_key":cty.StringVal(""), "prefix":cty.StringVal("")}}
    backend_test.go:134: storage.NewClient() failed: dialing: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.
.....

• Specifying the path to a credentials file works as expected:

TF_ACC=1   GOOGLE_CREDENTIALS=~/Downloads/creds.json   GOOGLE_PROJECT=YYYY   go test -timeout=2m -parallel=4 ./backend/remote-state/gcs
ok      github.com/hashicorp/terraform/backend/remote-state/gcs 36.156s

• Using the new access token parameter also works as expected:

TF_ACC=1   GOOGLE_OAUTH_ACCESS_TOKEN=XXXX   GOOGLE_PROJECT=YYYY   go test -timeout=2m -parallel=4 ./backend/remote-state/gcs
ok      github.com/hashicorp/terraform/backend/remote-state/gcs 36.882s

[hashicorp-cla]

All committers have signed the CLA.

[luis-silva]

@paddycarver @emilymye @mildwonkey Anything I can do to speed up the review of this PR?

[luis-silva]

@jbardin A quick and easy PR that would really unblock us with GCP remote states?

[carlpett]

Thanks for this @luis-silva, it will help my team as well! According to the codeowners file, the @terraform-google group is the reviewer.
So, @terraform-google, could you please have a look?

[carlpett]

Hm, apparently the group isn't set up 😕

[mildwonkey]

Hi folks! We cannot review this PR with a pending CLA signature. Please either sign the CLI, or remove the commit from @kostas-theo (see the CLA bot comment for details).

[luis-silva]

@mildwonkey I've asked @kostas-theo to sign the CLA so we've both done it now.

[simonswine]

LGTM, we are already using that using a custom built here:

https://github.com/simonswine/terraform/releases/tag/v0.12.7-gcs-access-token

[williams-brian]

@mildwonkey Is this still waiting on review from someone? I would really like to see this merged. Having long-lived credentials stored on developer machines is a security risk that this feature would allow many people to avoid.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.