GCP KMS service account grant issue

[EchoL0t]

Hello! Trying to follow this guide faced with the following issue

Terraform will perform the following actions:

  # google_kms_key_ring_iam_binding.vault_iam_kms_binding will be created
  + resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {
      + etag        = (known after apply)
      + id          = (known after apply)
      + key_ring_id = "idyllic-mantis-299418/global/test1"
      + members     = [
          + "serviceAccount:vault-gcpkms@idyllic-mantis-299418.iam.gserviceaccount.com",
        ]
      + role        = "roles/owner"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes 

google_kms_key_ring_iam_binding.vault_iam_kms_binding: Creating...

Error: Error applying IAM policy for KMS KeyRing "projects/idyllic-mantis-299418/locations/global/keyRings/test1": Error setting IAM policy for KMS KeyRing "projects/idyllic-mantis-299418/locations/global/keyRings/test1": googleapi: Error 403: Permission 'cloudkms.keyRings.setIamPolicy' denied on resource 'projects/idyllic-mantis-299418/locations/global/keyRings/test1' (or it may not exist)., forbidden

  on main.tf line 93, in resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding":
  93: resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {

Keyring and key are exist, so granted owner role to service account manually. But I can't figure out why terraform can't deal with it, do you have any ideas?