Unable to export service account key in Terraform #GCP

If this bastion instance is a Google Cloud Compute Engine (GCE) instance, you do not need to pass JSON keys to the VM.

You should use the service account which the GCE instance runs as - any tool which uses the GCP API/SDK (e.g. gsutil or gcloud) will use this service account by default if no credentials are provided using environment variables.

Each GCP project is provisioned with a "default compute" service account, or you can create one specifically for the instance in question with Terraform and grant permissions as necessary via IAM.

• More information on service accounts: https://cloud.google.com/iam/docs/understanding-service-accounts
• Specific section of the above link on GCE: https://cloud.google.com/iam/docs/understanding-service-accounts#using_service_accounts_with_compute_engine

Specifically answering your question, however, your key is not being deployed due to nested double quotes. Your JSON key contains double quotes, which if not escaped will terminate the quote starting the string.

If you have to use the JSON key file, I would deploy it to the VM as a file, then read the file in the startup script:

#!/bin/bash

cat <<EOF > /etc/gce_credentials.json
${file("${var.credentials}")}
EOF

export GOOGLE_APPLICATION_CREDENTIALS=$(cat /etc/gce_credentials.json)

You must configure the variable GOOGLE_APPLICATION_CREDENTIALS

https://cloud.google.com/docs/authentication/

You can download the JSON file from the Service Account.

In IAM & admin > Service Accounts section, click on the 3 dots of the Service Account you want to use and select "Create key" > JSON > Create

This will generate/download the JSON file.