Hello 👋 I'm new to Pulumi and trying to integrate it into my devops. I want to a service account that can be used by github actions to push/pull gcr images. I'm trying to grant the SA the correct permissions, but when I deploy this stack I dont see the storage admin role associated in with the SA in the IAM tab of the cloud console.

pulumi up -s staging

runs successfully so I dont think I have any errors. Can someone help me understand how to accomplish this?

const registry = new gcp.container.Registry('gcr', {
  project: gcp.config.project,
  location: 'US',
})

const gcrServiceAccount = new gcp.serviceaccount.Account(
  'gcr-service-account',
  {
    accountId: 'gcr-service-account',
    displayName: 'GCR Service Account',
    description:
      'Service account for CI services that interact with GCR',
  }
)

export const storageIAM = new gcp.storage.BucketIAMMember(
  'gcr-storage-bucket-iam',
  {
    bucket: registry.bucketSelfLink,
    role: 'roles/storage.admin',
    member: gcrServiceAccount.email.apply(
      (email) => `serviceAccount:${email}`
    ),
  }
)

new gcp.storage.BucketIAMMember

this is changing the IAM in the Bucket, if you want to see it in the IAM you have to do

new gcp.project.IAMMember

(or similar). This is a GCP concept on member per bucket or per project. It did bite me in the past