From 05ff3c3278ab55aba9250819dc41161078ac2d74 Mon Sep 17 00:00:00 2001
From: bharathkkb <bbaiju@google.com>
Date: Fri, 2 Dec 2022 13:35:39 -0600
Subject: [PATCH] Add a GCS backend specific env var for impersonation

---
 internal/backend/remote-state/gcs/backend.go    | 1 +
 website/docs/language/settings/backends/gcs.mdx | 4 +---
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/internal/backend/remote-state/gcs/backend.go b/internal/backend/remote-state/gcs/backend.go
index 8bab376bf3..5c6d119238 100644
--- a/internal/backend/remote-state/gcs/backend.go
+++ b/internal/backend/remote-state/gcs/backend.go
@@ -71,6 +71,7 @@ func New() backend.Backend {
 				Type:     schema.TypeString,
 				Optional: true,
 				DefaultFunc: schema.MultiEnvDefaultFunc([]string{
+					"GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT",
 					"GOOGLE_IMPERSONATE_SERVICE_ACCOUNT",
 				}, nil),
 				Description: "The service account to impersonate for all Google API Calls",
diff --git a/website/docs/language/settings/backends/gcs.mdx b/website/docs/language/settings/backends/gcs.mdx
index 4e0ece875e..c01dc8d066 100644
--- a/website/docs/language/settings/backends/gcs.mdx
+++ b/website/docs/language/settings/backends/gcs.mdx
@@ -113,11 +113,9 @@ The following configuration options are supported:
   format. If unset, the path uses [Google Application Default Credentials](https://developers.google.com/identity/protocols/application-default-credentials).  The provided credentials must have the Storage Object Admin role on the bucket.
   **Warning**: if using the Google Cloud Platform provider as well, it will
   also pick up the `GOOGLE_CREDENTIALS` environment variable.
-- `impersonate_service_account` - (Optional) The service account to impersonate for accessing the State Bucket.
+- `impersonate_service_account` / `GOOGLE_BACKEND_IMPERSONATE_SERVICE_ACCOUNT` / `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` - (Optional) The service account to impersonate for accessing the State Bucket.
   You must have `roles/iam.serviceAccountTokenCreator` role on that account for the impersonation to succeed.
   If you are using a delegation chain, you can specify that using the `impersonate_service_account_delegates` field.
-  Alternatively, this can be specified using the `GOOGLE_IMPERSONATE_SERVICE_ACCOUNT` environment
-  variable.
 - `impersonate_service_account_delegates` - (Optional) The delegation chain for an impersonating a service account as described [here](https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials#sa-credentials-delegated).
 - `access_token` - (Optional) A temporary \[OAuth 2.0 access token] obtained
   from the Google Authorization server, i.e. the `Authorization: Bearer` token