googleapi: Error 403: Permission denied on resource project shared_vpc_host_name., forbidden

I am trying to create shared vpc and service project using Terraform project facotry module and I am running into errors and not sure if it is really related to permissions. Here are the errors that I am receiving

Error: googleapi: Error 403: Permission denied on resource project shared_vpc_host_name., forbidden

on .terraform/modules/project_factory/terraform-google-project-factory-8.1.0/modules/core_project_factory/main.tf line 136, in resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment":
136: resource "google_compute_shared_vpc_service_project" "shared_vpc_attachment" {

Error: Error retrieving IAM policy for compute subnetwork "projects/shared_vpc_host_name/regions/us-central1/subnetworks/10.128.0.0": googleapi: Error 403: Permission denied on resource project shared_vpc_host_name., forbidden

For someone like me: my problem was that I was using an invalid key in the provider block.

provider "google" {
  credentials = "this_was_wrong.json"
  project = "project-id"
}

As Eddie Knight said in his answer:

It's very possible that you are experiencing permission issues. At one point today I found myself attempting to target a project that existed... but the account I was authenticated to via gcloud was not the account I thought it was.

I got the same error when mistakenly putting the project name "myProject" to "project" as shown below:

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myProject" // Mistakenly put the project name "myProject"
  region      = "asia-northeast1"
}

This is my project name, number and ID:

Then, I put the project ID "myproject-338117" to "project":

provider "google" {
  credentials = file("myCredentials.json")
  project     = "myproject-338117" // Put the project id "myproject-338117"
  region      = "asia-northeast1"
}

Finally, I could solve the error.

I stumbled across your unanswered question just now while I was experiencing a similar error message, so I'll put my experience here in case someone else comes across it.

I am running into errors and not sure if it is really related to permissions

It's very possible that you are experiencing permission issues. At one point today I found myself attempting to target a project that existed... but the account I was authenticated to via gcloud was not the account I thought it was. In that case you'll need to either change the project id or change your authentication for gcloud.

It is also possible that your issue is related to the subnet. Check your IAM roles to ensure that you have given yourself permission to work on that subnet.

Side note... I also got a permissions error at one point due to targeting a non-existent zone

In sum:

1. Check that you're using the correct account
2. Check that you're using the right project
3. Check that you've assigned IAM roles properly

I have seen this problem and, in my case, it was because the project_id was not correct in the .tfvars file:

If you are using multiple Google accounts, you may also want to check the credentials specified at $HOME/.config/gcloud/application_default_credentials.json.

You can set this credentials via command gcloud auth application-default login.

Reference: https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication

You need to make sure the account linked to your environment variable GOOGLE_APPLICATION_CREDENTIALS has the correct IAM permission set.

In my case the reason was unfathomable stupidity. Provider declaration had variables in quotes

provider "google" {
  project = "var.project_id"
  region  = "var.region"
}

Corrected it to

provider "google" {
  project = var.project_id
  region  = var.region
}