GCP Instance Groups tagging doesn't work

Hello community,

I’m trying to have my GCP Instance Group VM instances tagged with specific tags, however I get the following ERROR in the Instance Group UI:

Instance 'X' creation failed: com.google.cloud.resourcemanager.common.error.ExternalStatusException: <eye3 title='PERMISSION_DENIED'/> generic::PERMISSION_DENIED: Permission compute.instances.createTagBinding denied on resource //compute.googleapis.com/projects/XXXXXX/zones/us-east1-b/instances/XXXXXXX (or it might not exist).

Upon inspecting the REST version of the Instance Group I see the Service Account which has all 3 roles:

  • Tag Administrator
  • Tag User
  • Tag Viewer
    My TF instance group resource looks like this:
resource "google_compute_instance_template" "provision" {
  name           = "X"
  machine_type   = var.machine_type
  can_ip_forward = false

  resource_manager_tags = var.common_tags
...

Any help would be appreciated. Thanks!