Yes, the credentials to access the backend must be available for any operation that reads or writes state snapshots, which includes
terraform plan and
I suppose if you were previously setting that inline in the backend configuration it would’ve appeared that you only needed to set it during
terraform init, because the init command was saving that setting for you in
.terraform/terraform.tfstate where the active backend configuration is cached.
When providing credentials out-of-band Terraform doesn’t duplicate them into that cache file because we assume they are probably sensitive and thus it would be undesirable to write a copy of them out to disk silently, and so you will indeed need to preserve the out-of-band setting between the different operations yourself somehow.