(Terraform, GCP) Error 403: Permission denied to list services for consumer container [projects/335478934851]

Question

On GCP, I'm trying to enable "Identity and Access Management (IAM) API" with this Terraform code below:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-173831"
  region      = "asia-northeast1"
}

resource "google_project_service" "project" {
  service = "iam.googleapis.com"
}

But I got this error:

Error when reading or editing Project Service : Request List Project Services myproject-173831 returned error: Failed to list enabled services for project myproject-173831: googleapi: Error 403: Permission denied to list services for consumer container [projects/335478934851]

Then, I couldn't enable it

So now, I'm trying to add a role to solve this error above but there are too many roles to choose:

What role do I need to choose?

Answer 1

I agree with answer 1 but a few additions:

1. Comment recommends roles/servicemanagement.quotaViewer, this is insufficient for the terraform resource google_project_service.

2. Required roles I have made it work with are:

• Quota Administrator (roles/servicemanagement.quotaAdmin)
• Service Usage Admin (roles/serviceusage.serviceUsageAdmin)

3. Sometimes it takes a few minutes to enable services and it is worth retrying after a failed run to see if the services are now enabled.

4. I would also recommend batch enabling services in their own resource/module using the pattern shown here.

Answer 2

Choose the role "Quota Administrator":

Then, apply your Terraform code again:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-173831"
  region      = "asia-northeast1"
}

resource "google_project_service" "project" {
  service = "iam.googleapis.com"
}

Finally, you can enable "Identity and Access Management (IAM) API":