terraform indicates Bad Request upon `terraform apply`

[BenjaminPelletier]

Describe the bug
When following the GKE terraform infrastructure deployment instructions, I receive a number of "Bad Request" errors when invoking the terraform apply command. I am an owner of the targeted GCP project, though it does have certain resource constraints.

To Reproduce

1. GKE terraform infrastructure deployment instructions to step 11 under "Deployment of the Kubernetes cluster"
2. Reach personal deployment folder contents: dev-dss-1.zip
3. From personal deployment folder, terraform apply, then indicate yes
4. Observe error message below

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.terraform-google-kubernetes.google_compute_ssl_policy.secure: Creating...
module.terraform-google-kubernetes.google_compute_global_address.ip_gateway: Creating...
module.terraform-google-kubernetes.google_compute_address.ip_crdb[2]: Creating...
module.terraform-google-kubernetes.google_compute_address.ip_crdb[1]: Creating...
module.terraform-google-kubernetes.google_compute_address.ip_crdb[0]: Creating...
module.terraform-google-kubernetes.google_container_cluster.kubernetes_cluster: Creating...
╷
│ Error: Post "https://container.googleapis.com/v1/projects/wing-utm-dev/locations/us-central1-a/clusters?alt=json&prettyPrint=false": oauth2: "invalid_grant" "Bad Request"
│ 
│   with module.terraform-google-kubernetes.google_container_cluster.kubernetes_cluster,
│   on ../../dependencies/terraform-google-kubernetes/cluster.tf line 3, in resource "google_container_cluster" "kubernetes_cluster":
│    3: resource "google_container_cluster" "kubernetes_cluster" {
│ 
╵
╷
│ Error: Error creating GlobalAddress: Post "https://compute.googleapis.com/compute/v1/projects/wing-utm-dev/global/addresses?alt=json": oauth2: "invalid_grant" "Bad Request"
│ 
│   with module.terraform-google-kubernetes.google_compute_global_address.ip_gateway,
│   on ../../dependencies/terraform-google-kubernetes/cluster.tf line 45, in resource "google_compute_global_address" "ip_gateway":
│   45: resource "google_compute_global_address" "ip_gateway" {
│ 
╵
╷
│ Error: Error creating Address: Post "https://compute.googleapis.com/compute/v1/projects/wing-utm-dev/regions/us-central1/addresses?alt=json": oauth2: "invalid_grant" "Bad Request"
│ 
│   with module.terraform-google-kubernetes.google_compute_address.ip_crdb[0],
│   on ../../dependencies/terraform-google-kubernetes/cluster.tf line 54, in resource "google_compute_address" "ip_crdb":
│   54: resource "google_compute_address" "ip_crdb" {
│ 
╵
╷
│ Error: Error creating Address: Post "https://compute.googleapis.com/compute/v1/projects/wing-utm-dev/regions/us-central1/addresses?alt=json": oauth2: "invalid_grant" "Bad Request"
│ 
│   with module.terraform-google-kubernetes.google_compute_address.ip_crdb[1],
│   on ../../dependencies/terraform-google-kubernetes/cluster.tf line 54, in resource "google_compute_address" "ip_crdb":
│   54: resource "google_compute_address" "ip_crdb" {
│ 
╵
╷
│ Error: Error creating Address: Post "https://compute.googleapis.com/compute/v1/projects/wing-utm-dev/regions/us-central1/addresses?alt=json": oauth2: "invalid_grant" "Bad Request"
│ 
│   with module.terraform-google-kubernetes.google_compute_address.ip_crdb[2],
│   on ../../dependencies/terraform-google-kubernetes/cluster.tf line 54, in resource "google_compute_address" "ip_crdb":
│   54: resource "google_compute_address" "ip_crdb" {
│ 
╵
╷
│ Error: Error creating SslPolicy: Post "https://compute.googleapis.com/compute/v1/projects/wing-utm-dev/global/sslPolicies?alt=json": oauth2: "invalid_grant" "Bad Request"
│ 
│   with module.terraform-google-kubernetes.google_compute_ssl_policy.secure,
│   on ../../dependencies/terraform-google-kubernetes/cluster.tf line 77, in resource "google_compute_ssl_policy" "secure":
│   77: resource "google_compute_ssl_policy" "secure" {
│ 
╵

Expected behavior
terraform apply should succeed, or provide an error message that suggests a clear path of action, or documentation should explain how to interpret confusing error messages that we can't change

Desktop (please complete the following information):

• OS: Debian Linux variant

$ terraform version
Terraform v1.13.5
on linux_amd64
+ provider registry.terraform.io/hashicorp/google v7.10.0
+ provider registry.terraform.io/hashicorp/local v2.5.3

$ git log -n 1
commit 06391692cd77caa37cf981cccd84c6e95676a42e (HEAD -> docs-update, master)
Author: Michael Barroco <michael@orbitalize.com>
Date:   Wed Oct 22 16:24:25 2025 +0200

    [client-certificates] Add generate-clients step and fix default client (#1288)

[barroco]

Thank you for reporting this issue. Just for your information, it is highly possible that the terraform.tfstate may contain secret information after applying the configuration.
It seems that it is an authentication problem. Did you have a chance to check if your gcloud cli was authenticated with the expected user using gcloud auth list ? or are you using some other specific method to authenticate yourself ?

[BenjaminPelletier]

Thanks for the tfstate tip -- I reviewed it for sensitive data this time, and will be sure to look more carefully after deployment.

gcloud auth list indicates my expected account is active, and I actively use kubectl to make changes to this project. I am using a corporate version of both which has some differences, but I'm not aware of any important differences. gcloud services enable compute.googleapis.com works. I've followed these deployment instructions many times with my setup, including, e.g., the gcloud commands in step 4.

[barroco]

Thanks for the clarification. I would recommend to enable the logs for the providers using the following environment variable to inspect requests sent to google cloud: TF_LOG_PROVIDER=debug
Reference