In my case Terraform output clearly stated the permissions it was missing:
"permission": "serviceusage.services.enable,servicemanagement.services.bind"
Using IAM permissions reference, I've narrowed them down to these 2 roles: