Hi Team, I am trying to create a GKE private Autopilot cluster via Pulumi typescript. I am creating a custom service account with limited IAM permission and want to attach the same to Autopilot cluster instead of using default service account. I tried multiple code changes but my Autopilot cluster is getting created with

default

service account only. Pulumi plan shows it will apply custom service account mentioned under

nodeConfig

but is applies

default

,on next run it tries to replace cluster with custom service account but applies

default

again, loop continues. I am using this Pulumi package for autopilot cluster creation. I came across terraform issue discussion where many users are facing similar default account issue. hashicorp/terraform-provider-google#9505 I tried the listed solution to use

clusterAutoscaling

but Pulumi says it conflicts with the

enable_autopilot

, same behavior with

node.pool

, you can't change much in Autopilot cluster. Why Pulumi or terraform is failing to attach custom service account to Autopilot cluster? Am I missing something? Any suggestions I can try? My typescript k8_autopilot code

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceaccount.Account("sa", {
    createIgnoreAlreadyExists: true,
    accountId: "test",
});
const cloudsql_admin = new gcp.projects.IAMBinding("cloudsql_admin", {
    project: "<Project_ID>",
    role: "roles/cloudsql.admin",
    members: [sa.email.apply(email => `serviceAccount:${email}`)],
});

const primary = new gcp.container.Cluster("primary", {
    name: "cluster-test",
    network: "<VPC_ID>",
    subnetwork: "<Private_Subnet_ID>",
    location: "us-east4",
    enableAutopilot: true,
    deletionProtection: false,
    masterAuthorizedNetworksConfig: {
        cidrBlocks: [{
            cidrBlock: "<IP>",
        }],
    },
    privateClusterConfig: {
        enablePrivateEndpoint: false,
        enablePrivateNodes: true,
    },
    nodeConfig: {
        serviceAccount: sa.email
    }
});

Sorry for the delay, this sounds like a bug with the Pulumi GCP provider, if one cannot use the approach described here. Would you mind filing an issue into pulumi/pulumi-gcp and show the behavior when

clusterAutoscaling

is used?

@damp-airline-38442 Thanks a lot for response. Adding following block solved my issue. If you have a cluster that already exists, you need to delete it first then try to run this code or Pulumi will show Google API 500 error.

clusterAutoscaling: {
        autoProvisioningDefaults: {
        serviceAccount: sa.email
    },
    },