I tried to automate the Shared VPC creation on GCP by using Terraform. I have enabled all the access to my service account (Org Admin, XpnAdmin, Storage Admin, Compute admin, Billing Admin)
But when i executed terraform apply it's throwing me following error:
missing permission on "billingAccounts/CXXXXXXXXXXXXXXXXXX": billing.resourceAssociations.create
I'm referring the Google provider Github code for this demo.
It's quite likely you have the billing admin, but you also need the ability to create billing assignments, or "Billing Project Manager".
https://cloud.google.com/billing/v1/how-tos/access-control
billing.resourceAssociations.create AND resourcemanager.projects.createBillingAssignment on the Cloud Billing account.
There's some handy code to bootstrap a service account - Google Project Factory - You might want to have a look at that. Once that SA is created you shouldn't have permissions issues
I was getting same error even my "Service Account" had the necessary "Organization" level permissions. Then I figured out, I need to give permission from "Billing Account". It worked.
I was following this tutorial to create projects via "Service Account" and "Terraform", but still was getting error. After some research, I followed this how-to and gave permission from "Billing Account".
Project, Organization and Billing are 3 separate components for permissions. Giving "Organization" level is not enough. The permission should be given from "Billing Account" as well.
Billing Account Administratorhas the required permissions. This means that the service account that you are using with Terraform does not have the roleroles/billing.admin. – John Hanley