Query project permissions by service account without manual preparation

Question

I'm working on an integration with GCP where the user provides service account credentials.

Before enabling the integration it has to check if the service account has a meaningful set of permissions.

The only useful API for checking the permissions that I found is

https://cloudresourcemanager.googleapis.com/v1/projects/<PROJECT ID>:testIamPermissions

however it seems that to use this api (Cloud Resource Manager API) it has to be manually enabled, otherwise I get an error like the one below.

Any ideas how to fully automate this without having to manually enable this API? Or use another API that's enabled by default?

  "error": {
    "code": 403,
    "message": "Cloud Resource Manager API has not been used in project 1xxxxxxxxxxx before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=PROJECT_ID then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.",
    "status": "PERMISSION_DENIED",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.Help",
        "links": [
          {
            "description": "Google developers console API activation",
            "url": "https://console.developers.google.com/apis/api/cloudresourcemanager.googleapis.com/overview?project=PROJECT_ID"
          }
        ]
      }
    ]
  }
}
]

Answer 1

Aren't pretty much all APIs disabled by default and you have to enable them through console,gcloud or API? There is a separate API for enabling services (https://cloud.google.com/service-usage/docs/enable-disable#curl), but I am not aware of anything that you could just straight up use for what you are trying to do. So you can programmatically enable the resource manager API that you want, but obviously you need the permissions to do it.