Unable to create google group with Terraform resource google_cloud_identity_group

Question

The following resource is used to create a google group using the terraform google-beta and version 3.36:

resource "google_cloud_identity_group" "cloud_identity_group_basic" {
  provider = google-beta
  display_name = "aaa bbb"

  parent = "customers/XXX"

  group_key {
    id = "[email protected]"
  }

  labels = {
    "cloudidentity.googleapis.com/groups.discussion_forum" = ""
  }
}

terraform plan tells me that it will create the resource but performing apply results in an error (Actor does not have permission to create group). The terraform service-account has already a lot of permissions such as Organization Administrator, Google Cloud Managed Identities Admin, Google Cloud Managed Identities Domain Admin, ...

G Suite Domain-wide Delegation also has been tried, but unsure how this might help.

Terraform will perform the following actions:

  # google_cloud_identity_group.cloud_identity_group_basic will be created
  + resource "google_cloud_identity_group" "cloud_identity_group_basic" {
      + create_time  = (known after apply)
      + display_name = "aaa bbb"
      + id           = (known after apply)
      + labels       = {
          + "cloudidentity.googleapis.com/groups.discussion_forum" = ""
        }
      + name         = (known after apply)
      + parent       = "customers/XXX"
      + update_time  = (known after apply)

      + group_key {
          + id = "[email protected]"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

google_cloud_identity_group.cloud_identity_group_basic: Creating...

Error: Error creating Group: googleapi: Error 403: Error(2015): Actor does not have permission to create group '[email protected]'.
Details:
[
  {
    "@type": "type.googleapis.com/google.rpc.ResourceInfo",
    "description": "Error(2015): Actor does not have permission to create group '[email protected]'.",
    "owner": "domain:cloudidentity.googleapis.com",
    "resourceType": "cloudidentity.googleapis.com/Group"
  }
]

  on groups.tf line 1, in resource "google_cloud_identity_group" "cloud_identity_group_basic":
   1: resource "google_cloud_identity_group" "cloud_identity_group_basic" {

Answer 1

It is possible to use service accounts with Google Groups APIs without domain-wide delegation now.

See: Setting up the Groups API / Assigning an admin role to the service account. This enabled the terraform service-account to create/manage groups.