Authentication fails to "iap.googleapis.com" when using service account not associated with compute instance

[caddac]

I'm using a custom service account to apply this module from an external service (not running in GCP). When applying this module I'm seeing an authentication failed (HTTP 403) error to iap.googleapis.com/v1/projects/my_service_project/iap_tunnel/zones/us-west1-a/instances/my_bastion_instance:getIamPolicy?alt=json HTTP/1.1. From these docs my service account requires the Access Scope https://www.googleapis.com/auth/cloud-platform. However I can't figure out how to assign a scope to a custom service account. Per this SO answer, I need to associate my service account with an instance.

Can I apply this module using a service account not associated with a compute instance? Or does it have to be associated with an instance so I can assign this Access Scope?

[caddac]

well, looks like I was just missing IAP Policy Admin role. Google docs aren't really clear you need this role to manage IAP, hashicorp/terraform-provider-google#4515 (comment) finally led me to the solution. Adding required roles to the readme for this would really awesome.

[onetwopunch]

@caddac thanks for finding this. We are always trying to improve docs. Please feel free to update the README in a PR and I’ll happily review it