How to use Terraform `google_app_engine_domain_mapping` with service account?

Question

I'm trying to create a GCP App Engine domain mapping via Terraform with the following configuration:

provider "google" {
  version = "3.36.0"
  region  = var.region
}

resource "google_app_engine_domain_mapping" "domain_mapping" {
  project = local.project_id
  domain_name = var.domain_name

  ssl_settings {
    ssl_management_type = "AUTOMATIC"
  }

  depends_on = [
    google_app_engine_application.backend_app
  ]
}

Terraform is configured to use an organization level service account for the GCP provider with the following IAM permissions (no conditions):

• Billing Account User
• Project Creator
• Service Config Editor (I've added this thinking it would resolve the issue based on this and this doc page.)

The Google account that is the owner of the organization has verified the domain in question, yet I'm getting the following error:

Error: Error creating DomainMapping: googleapi: Error 403: Caller is not authorized to administer the domain 'testing.redacted.com'. If you own 'testing.redacted.com', you can obtain authorization by verifying ownership of the domain, or any of its parent domains, via the Webmaster Central portal: https://www.google.com/webmasters/verification/verification?domain=testing.redacted.com. We recommend verifying ownership of the largest scope you wish to use with subdomains (eg. verify 'example.com' if you wish to map 'subdomain.example.com').

I've also tried adding the service account's email as a user in the Google Search Console to the domain to no avail.

Answer 1

The solution is rather simple but sort of hidden in the docs. You need to add your service account email as owner of the domain.

1. Go here
2. Select the property you want
3. Tap the "Add an owner" button at the bottom of the page and add the email address (e.g. terraform@<PROJECT_ID>.iam.gserviceaccount.com)