I manage my Google Cloud resources through terraform. I was initially planning and applying the changes locally, authenticating with my personal email, and everything worked fine.
I am using resource "google_cloud_run_domain_mapping" "..." a couple of times. The domain I am using there was bought through Google too, and I used my personal email to do so, so my email is a verified owner of such domain.
I just migrated all my terraform state to Terraform Cloud, and, as a good practice, created a new service account called [email protected] with enough permissions to manage all my resources, and that service account key is the one I used in Terraform Cloud to authenticate to Google. In short, all resource changes are executed through the service account terraform@..., instead of my personal email [email protected].
The resource "google_cloud_run_domain_mapping" is now failing with the following error:
Error: Error waiting to create DomainMapping: resource is in failed state "Ready:False", message: Caller is not authorized to administer the domain 'my-domain.com'.
I don't know how to make this work.
My attempts:
1. Add the service account as a user of the domain through Google Registrar
In the page https://domains.google.com/registrar/my-domain.com/settings, in the Registration Settings > Domain Permissions I see the following message, instead of an option to add a new user:
Domain permissions for my-domain.com are managed by Cloud Domains.
2. Add the service account as a user of the domain through Cloud Domains
In my Google Cloud project, in the page https://console.cloud.google.com/net-services/domains/registrations/list?project=my-project, I can't see an option to add the service account to the domain.
3. Add the "owner" role to the service account.
I added the role "Owner", which is too permissive, to the service account and tried applying the terraform plan again, but the error was the same. (Maybe I need to wait for the change to come into effect?)
4. ChatGPT suggested me to add my personal email as a member of the service account
I couldn't find where to do that, but I am also not sure how that would help, because authentication would still be coming from terraform@...
The final goal is to manage my resource "google_cloud_run_domain_mapping" through Terraform Cloud in a safe way, hopefully using this new service account for authentication. Any guidance is greatly appreciated!
Adding the solution here, greatly impacted by John Hanley.
The solution was to go to the search console here https://search.google.com/search-console/ownership, choose the desired domain, add the given service account as a new user, and provide
OWNERpermissions to it. Note thatFullpermissions did not work.More documentation here.