https://pulumi.com logo
Title
b

brash-lamp-90149

04/17/2023, 11:15 PM
Hello 👋 I'm new to Pulumi and trying to integrate it into my devops. I want to a service account that can be used by github actions to push/pull gcr images. I'm trying to grant the SA the correct permissions, but when I deploy this stack I dont see the storage admin role associated in with the SA in the IAM tab of the cloud console.
pulumi up -s staging
runs successfully so I dont think I have any errors. Can someone help me understand how to accomplish this?
const registry = new gcp.container.Registry('gcr', {
  project: gcp.config.project,
  location: 'US',
})

const gcrServiceAccount = new gcp.serviceaccount.Account(
  'gcr-service-account',
  {
    accountId: 'gcr-service-account',
    displayName: 'GCR Service Account',
    description:
      'Service account for CI services that interact with GCR',
  }
)

export const storageIAM = new gcp.storage.BucketIAMMember(
  'gcr-storage-bucket-iam',
  {
    bucket: registry.bucketSelfLink,
    role: 'roles/storage.admin',
    member: gcrServiceAccount.email.apply(
      (email) => `serviceAccount:${email}`
    ),
  }
)
r

rhythmic-secretary-1287

04/19/2023, 7:52 AM
new gcp.storage.BucketIAMMember
this is changing the IAM in the Bucket, if you want to see it in the IAM you have to do
new gcp.project.IAMMember
(or similar). This is a GCP concept on member per bucket or per project. It did bite me in the past