Hi Team, I am trying to create a GKE private Autop...
# google-cloud
Hi Team, I am trying to create a GKE private Autopilot cluster via Pulumi typescript. I am creating a custom service account with limited IAM permission and want to attach the same to Autopilot cluster instead of using default service account. I tried multiple code changes but my Autopilot cluster is getting created with
service account only. Pulumi plan shows it will apply custom service account mentioned under
but is applies
,on next run it tries to replace cluster with custom service account but applies
again, loop continues. I am using this Pulumi package for autopilot cluster creation. I came across terraform issue discussion where many users are facing similar default account issue. hashicorp/terraform-provider-google#9505 I tried the listed solution to use
but Pulumi says it conflicts with the
, same behavior with
, you can't change much in Autopilot cluster. Why Pulumi or terraform is failing to attach custom service account to Autopilot cluster? Am I missing something? Any suggestions I can try? My typescript k8_autopilot code
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceaccount.Account("sa", {
    createIgnoreAlreadyExists: true,
    accountId: "test",
const cloudsql_admin = new gcp.projects.IAMBinding("cloudsql_admin", {
    project: "<Project_ID>",
    role: "roles/cloudsql.admin",
    members: [sa.email.apply(email => `serviceAccount:${email}`)],

const primary = new gcp.container.Cluster("primary", {
    name: "cluster-test",
    network: "<VPC_ID>",
    subnetwork: "<Private_Subnet_ID>",
    location: "us-east4",
    enableAutopilot: true,
    deletionProtection: false,
    masterAuthorizedNetworksConfig: {
        cidrBlocks: [{
            cidrBlock: "<IP>",
    privateClusterConfig: {
        enablePrivateEndpoint: false,
        enablePrivateNodes: true,
    nodeConfig: {
        serviceAccount: sa.email