Google: "Certificate not in PEM format" creating X.509 workload identity federation

Terraform Providers Google
1

Greetings,

I’m trying to create a GCP Workload Identity Federation X.509 pool with a set of certificates that I was able to use manually via gcloud. But trying to use them in Terraform gives me an error:

google_iam_workload_identity_pool_provider.x509-test-provider: Creating...
╷
│ Error: Error creating WorkloadIdentityPoolProvider: googleapi: Error 400: Error validating TrustAnchor[0]: Certificate is not in PEM format. Please make sure to include the suffix, prefix and the new line characters.
│
│   with google_iam_workload_identity_pool_provider.x509-test-provider,
│   on main.tf line 6, in resource "google_iam_workload_identity_pool_provider" "x509-test-provider":
│    6: resource "google_iam_workload_identity_pool_provider" "x509-test-provider" {
│
╵

Terraform code

resource "google_iam_workload_identity_pool_provider" "x509-test-provider" {
  provider                           = google.entrypoint
  description                        = "X.509 identity pool provider"
  workload_identity_pool_id          = google_iam_workload_identity_pool.x509-test-pool.workload_identity_pool_id
  workload_identity_pool_provider_id = "x509-provider"
  attribute_mapping = {
    "google.subject" = "assertion.subject.dn.cn"
  }
  x509 {
    trust_store {
      trust_anchors {
        pem_certificate = replace(file("../root.cert"), "\n", "\\n")
      }
      intermediate_cas {
        pem_certificate = replace(file("../int.cert"), "\n", "\\n")
      }
    }
  }
}

root.cert

-----BEGIN CERTIFICATE-----
MIIDADCCAeigAwIBAgIUAjKSRATj4Qy9TZBxJWQDIW/IVLswDQYJKoZIhvcNAQEL
BQAwDzENMAsGA1UEAwwEcm9vdDAeFw0yNTEwMjcxMDI5MTZaFw0zNTEwMjUxMDI5
MTZaMA8xDTALBgNVBAMMBHJvb3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC0l5a2PVLUVGfoLRj2FiKJ7VmY1lGEWOOzkMR9kiLCF4WRIP11rSmV43NH
8u9hfyWOaxGEr0Kq3KvNyVx9tuprRBaXrfgq2Bmu/3sddhaDPOG6U4uSs/B0NbxD
H6OBj9AY908fOhm1DJnIbAHAfuruMmLmdInmNip6Wup9W/+JQoDpa17dUQ0UA15D
i7oY4PLw6LsRkFi9YLFHFd4KngLbQd6/hhzLQXuhD40OZACCqYjLnIQ7rU8bUljf
7OdYhnm/foM82lReKUB93pL6L5cJ0dkoBUh9FALHPGZFHSM5XMV6YTi4KNrP9UZu
X47QFk3HYtAjd4guymMB2i3NZH6tAgMBAAGjVDBSMA8GA1UdEwEB/wQFMAMBAf8w
CwYDVR0PBAQDAgIEMBMGA1UdJQQMMAoGCCsGAQUFBwMCMB0GA1UdDgQWBBTHcIj8
sJ58fgquQ0tOubQCO8lvPzANBgkqhkiG9w0BAQsFAAOCAQEAflZJ21bx/Sc26SPe
KEUrDgOFxm56zIFLb0WZlQ+GBkwgV1fW1DW/khB02A5ZV21PT2CQ7er0Z1EFJQ2x
N7ECs0gg0819KZJ0jbXBanrtSXpS8wyewUXkMYU+rNiD0AABGAWpZw1uEEy6PArF
9PqdmgsBqGSEWc42eEDd9e0jDZ6rmOdxGtgswYiYFOeHUYJ6gUBVVufIsOGt3HPn
vkQf6EhWUaAxT2SYfPM71oAI7xP3aKPs+bDFWuJsjp5U5x75ud4GJqk+BmzY2wom
CTB5nxDfeI5my3sMQQCQGLxdSh1RCuuZ+jiPQ0b/bfslfcpbtXRK4lbEPUq1C0un
kJ8qNA==
-----END CERTIFICATE-----

I’ve tried using the file just as file(“root.cert”):

      + x509 {
          + trust_store {
              + intermediate_cas {
                  + pem_certificate = <<-EOT
                        -----BEGIN CERTIFICATE-----
                        [base64 stripped for brevity]
                        -----END CERTIFICATE-----
                    EOT
                }

And I’ve tried replacing newlines with replace(file(“root.cert”), “\n”, “\\n”):

      + x509 {
          + trust_store {
              + intermediate_cas {
                  + pem_certificate = "-----BEGIN CERTIFICATE-----\\nMIIDDTCCAfWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARyb290\\nMB4XDTI1MTAyNzEwMjkyNloXDTM1MTAyNTEwMjkyNlowDjEMMAoGA1UEAwwDaW50\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsi6pxyMfay3QZYafUvv1\\nhj55OdptrCyhGpaVP0dB5kuKNyXxQsCC/p7drzmS93WRjqb0uVz3/fyR0+Fz4DHu\\neUkcXrCNPjdMgQJAQP7TCRPbgGyi+dmKcwpdi9ERSflIorBkzM/AKHaJxS7rXSdR\\nWgEW71i6BA2OANnbkzWyWgBNudbZIqOsAX65SxYnLUTgmvVLNtZK3l5KRvcLq0nl\\nVGZRP6AC7Q0kF9QwhKvntoULZoUKDzcXiaknv4tQRl4nlV8Pro2PNBO7OoL3+foe\\nlkQvdVtq0G85wRkt5y6WWXrVK+t2bBOG0ZroTDg1zQ+FcRo7NvBG5D3YqYCWFvKG\\nBQIDAQABo3UwczAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwICBDATBgNVHSUE\\nDDAKBggrBgEFBQcDAjAdBgNVHQ4EFgQUamxW5EQpfLR70w5w2GlB7gtdcZswHwYD\\nVR0jBBgwFoAUx3CI/LCefH4KrkNLTrm0AjvJbz8wDQYJKoZIhvcNAQELBQADggEB\\nAIXv0hyqx0p8SQ/wCqIUxFIJXFl0NyK+nmI0Dv2Y8qfNaWNYc+nyfOK+E2YClUIS\\nz3L5bmWUr7LUk1mthMEnw2bOYFHSiL7Sr375uPeKn/mk5yV95Ice6MNInBhI10M/\\ntf8uRTu1JseFRXtZQVlkfvrASZB3UwsoB8eStby+i+lykW/sxrc4yOk8xfTFLl0k\\nyWea+vsEEA0Ha0NTngBZn+4WMfB4/cAMlNybAzlke2lKCmsMfJjthqWRm/T0JodX\\n1JK1D6fadrgzG3GQlJ2m/nnnnm3n73vnJQmIQEps8vgV7uEyX27wFPViiXC4LtJr\\nzwpTxsvMti9/ULlbVd5e7is=\\n-----END CERTIFICATE-----\\n"
                }

But neither of these are working and throw the same error I provided at the top of the post.

Open to any ideas here, I can’t think of any other way I can manipulate the file when it’s already a compliant PEM file with the correct header/footer

2

Problem solved. The files have a trailing empty line (my IDE is configured to save files that way by default), and Google doesn’t like that. I just didn’t notice the blank line having an extra line number until I stepped away for a few hours and came back.

Once the trailing empty lines are removed, using the certificate as file(“root.cert”) works absolutely fine, and I get to play DenverCoder9 once again…hopefully this helps someone in the future.