(Terraform, GCP) Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on

Question

On GCP, I'm trying to create a service account with this Terraform code below:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-173831"
  region      = "asia-northeast1"
}

resource "google_service_account" "service_account" {
  display_name = "My Service Account"
  account_id   = "my-service-account"
}

But I got this error below:

Error creating service account: googleapi: Error 403: Permission iam.serviceAccounts.create is required to perform this operation on project projects/myproject-173831., forbidden

So now, I'm trying to add a role to solve this error above but there are too many roles to choose:

What role do I need to choose?

Answer 1

You need to choose the role "Create Service Accounts" to create service accounts:

In addition, you can choose the role "Delete Service Accounts" to delete service accounts:

Otherwise, you cannot delete service accounts then you will get this error below:

Error 403: Permission iam.serviceAccounts.delete is required to perform this operation on service account projects/myproject-173831/serviceAccounts/my-service-account@myproject-173831.iam.gserviceaccount.com., forbidden

Finally, if you want to create and delete service accounts with one role, you can choose the more abstract role "Service Account Admin":