No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi Team,
I am trying to create a GKE private *Autopilot* cluster via Pulumi typescript. I am creating a custom service account with limited IAM permission and want to attach the same to Autopilot cluster instead of using default service account.

I tried multiple code changes but my Autopilot cluster is getting created with `default` service account only. Pulumi plan shows it will apply custom service account mentioned under `nodeConfig` but is applies `default` ,on next run it tries to replace cluster with custom service account but applies `default` again, loop continues.
I am using <https://www.pulumi.com/registry/packages/gcp/api-docs/container/cluster/#gcp-container-cluster|this >Pulumi package for autopilot cluster creation.

I came across terraform issue discussion where many users are facing similar default account issue.
<https://github.com/hashicorp/terraform-provider-google/issues/9505|hashicorp/terraform-provider-google#9505>

I tried the listed solution to use `clusterAutoscaling` but Pulumi says it conflicts with the `enable_autopilot`, same behavior with `node.pool`, you can't change much in Autopilot cluster.

Why Pulumi or terraform is failing to attach custom service account to Autopilot cluster?
Am I missing something? Any suggestions I can try?

My typescript k8_autopilot code
```import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceaccount.Account("sa", {
    createIgnoreAlreadyExists: true,
    accountId: "test",
});
const cloudsql_admin = new gcp.projects.IAMBinding("cloudsql_admin", {
    project: "&lt;Project_ID&gt;",
    role: "roles/cloudsql.admin",
    members: [sa.email.apply(email =&gt; `serviceAccount:${email}`)],
});

const primary = new gcp.container.Cluster("primary", {
    name: "cluster-test",
    network: "&lt;VPC_ID&gt;",
    subnetwork: "&lt;Private_Subnet_ID&gt;",
    location: "us-east4",
    enableAutopilot: true,
    deletionProtection: false,
    masterAuthorizedNetworksConfig: {
        cidrBlocks: [{
            cidrBlock: "&lt;IP&gt;",
        }],
    },
    privateClusterConfig: {
        enablePrivateEndpoint: false,
        enablePrivateNodes: true,
    },
    nodeConfig: {
        serviceAccount: sa.email
    }
});```


Sorry for the delay, this sounds like a bug with the Pulumi GCP provider, if one cannot use the approach described <https://github.com/hashicorp/terraform-provider-google/issues/9505#issuecomment-1419622521|here>.  Would you mind filing an issue into <https://github.com/pulumi/pulumi-gcp/issues|pulumi/pulumi-gcp>  and show the behavior when `clusterAutoscaling` is used?

<@U05QU9RNUN9>
Thanks a lot for response.
Adding following block solved my issue.
If you have a cluster that already exists, you need to delete it first then try to run this code or Pulumi will show Google API 500 error.
```clusterAutoscaling: {
        autoProvisioningDefaults: {
        serviceAccount: sa.email
    },
    },```