GCP Instance Groups tagging doesn't work

Hello community,

I’m trying to have my GCP Instance Group VM instances tagged with specific tags, however I get the following ERROR in the Instance Group UI:

Instance 'X' creation failed: com.google.cloud.resourcemanager.common.error.ExternalStatusException: <eye3 title='PERMISSION_DENIED'/> generic::PERMISSION_DENIED: Permission compute.instances.createTagBinding denied on resource //compute.googleapis.com/projects/XXXXXX/zones/us-east1-b/instances/XXXXXXX (or it might not exist).

Upon inspecting the REST version of the Instance Group I see the Service Account which has all 3 roles:

  • Tag Administrator
  • Tag User
  • Tag Viewer
    My TF instance group resource looks like this:
resource "google_compute_instance_template" "provision" {
  name           = "X"
  machine_type   = var.machine_type
  can_ip_forward = false

  resource_manager_tags = var.common_tags
...

Any help would be appreciated. Thanks!

The Google APIs Service Agent needs to be granted the Tag User permission. This can be found in the console under IAM when you tick the Include Google-provided role grants
box.