v6.2.0/website/docs/guides/common_issues.html.markdown - terraform-provider-google-beta - Git at Google

 ---
 page_title: "Common issues/FAQ"
 description: |-
   Common issues and frequently asked questions when using the provider.
 ---

 # Google Provider Common Issues/FAQ

 ## 403 Service API disabled

 ```
 <service> API has not been used in project <project> before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/<service>.googleapis.com/overview?project=<project> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
 ```

 Services must be [enabled in a project](https://cloud.google.com/service-usage/docs/enable-disable) before their service API can be used by the provider. The [`google_project_service` resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_service) enables GCP service APIs with Terraform.

 For `google_project_service` guidance and troubleshooting, see the [advanced user guide](/docs/providers/google/guides/google_project_service.html).

 ## API not enabled in a different project than the resource

 Quota projects refer to the project used in requests to GCP APIs for the purpose of preconditions, quota, and billing. By default, a resource’s quota project is determined by the API and may be the project associated with your credentials, or the resource project depending on the API. For most resources, `user_project_override` (and optionally `billing_project`) can control the quota project used in API requests. See the [provider_reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override) for more information.

 ## Handling default service accounts (user-managed)

 Certain GCP services automatically create user-managed service accounts called default service accounts. These are granted a large set of permissions on project creation and are the responsibility of the user once they are created. See [Google’s guide on default service accounts](https://cloud.google.com/iam/docs/service-account-types#default).

 Constraining the permissions or [replacing](https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/docs/FAQ.md#why-do-you-delete-the-default-service-account) the default service accounts entirely may be a suitable form of management. The Google provider offers the [google_project_default_service_accounts resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_default_service_accounts) as a way to manage default service accounts within Terraform.

 ## Handling Google-managed service accounts

 Some services create service accounts that are fully managed by Google. These exist outside of user projects, so they do not appear when viewing a project’s service accounts. See Google’s information on [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#default).

 The Google provider offers the [google_project_service_identity resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity), enabling access to the email address of Google-managed service accounts per service.
	---
	page_title: "Common issues/FAQ"
	description: \|-
	Common issues and frequently asked questions when using the provider.
	---

	# Google Provider Common Issues/FAQ

	## 403 Service API disabled

	```
	<service> API has not been used in project <project> before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/<service>.googleapis.com/overview?project=<project> then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
	```

	Services must be [enabled in a project](https://cloud.google.com/service-usage/docs/enable-disable) before their service API can be used by the provider. The [`google_project_service` resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_service) enables GCP service APIs with Terraform.

	For `google_project_service` guidance and troubleshooting, see the [advanced user guide](/docs/providers/google/guides/google_project_service.html).

	## API not enabled in a different project than the resource

	Quota projects refer to the project used in requests to GCP APIs for the purpose of preconditions, quota, and billing. By default, a resource’s quota project is determined by the API and may be the project associated with your credentials, or the resource project depending on the API. For most resources, `user_project_override` (and optionally `billing_project`) can control the quota project used in API requests. See the [provider_reference documentation](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#user_project_override) for more information.

	## Handling default service accounts (user-managed)

	Certain GCP services automatically create user-managed service accounts called default service accounts. These are granted a large set of permissions on project creation and are the responsibility of the user once they are created. See [Google’s guide on default service accounts](https://cloud.google.com/iam/docs/service-account-types#default).

	Constraining the permissions or [replacing](https://github.com/terraform-google-modules/terraform-google-project-factory/blob/master/docs/FAQ.md#why-do-you-delete-the-default-service-account) the default service accounts entirely may be a suitable form of management. The Google provider offers the [google_project_default_service_accounts resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_default_service_accounts) as a way to manage default service accounts within Terraform.

	## Handling Google-managed service accounts

	Some services create service accounts that are fully managed by Google. These exist outside of user projects, so they do not appear when viewing a project’s service accounts. See Google’s information on [Google-managed service accounts](https://cloud.google.com/iam/docs/service-account-types#default).

	The Google provider offers the [google_project_service_identity resource](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service_identity), enabling access to the email address of Google-managed service accounts per service.