I have created a Service Account for Terraform. Apart of our process is to create some storage buckets and maintain them through Terraform.
However, when we run terraform apply we get the following error:
google_storage_bucket.state_bucket: googleapi: Error 403: terraform@{project}.iam.gserviceaccount.com does not have storage.buckets.create access to project {project_id}.
I have applied the following IAM permissions to no avail:
Project OwnerStorage AdminStorage Object Admin
I had the same problem. We are using Organizations on GCP. And I used this script to create the terraform account in a terraform-admin project I created just for holding the master terraform service account which we use for setting up higher level projects and environments.
It turns out that the roles I set up for terraform@{project}.iam.gserviceaccount.com in the admin project are local to that project. i.e. in the organization IAM view this service account shows up with only 'Billing Account User' and 'Project Creator'.
I am not sure but I think that other organization scope projects can't read the roles set in other projects (or the roles set in other projects for a specific service account are overridden by the roles setup in the organization scope roles for that service account.)
Adding 'Storage Admin' and 'Viewer' roles to the organization scope service account fixed this error.
P.S I think that using terraform enterprise allows managing organization-wide users and thus makes it possible to create and manage terraform service accounts in the organization scope, avoiding the need to manually add the organization scope roles to the service account one experiences with the community version.
I am not sure if this is related, but I use a service account to back up from cloudberry to a storage bucket, and they have just today started failing with similar access problems that you describe. I think google changed something, they have the same
