Hi, all. I tried to setup OpenID Connect from Pulumi cloud deployment to GCP along with https://www.pulumi.com/docs/pulumi-cloud/oidc/provider/gcp/#grant-access-to-the-service-account. I think I have done all instructions on the document. However, I got error message like the following:

error: Running program '/deployment/index.ts' failed with an unhandled exception:
        * Error: invocation of gcp:secretmanager/getSecretVersionAccess:getSecretVersionAccess returned an error: invoking gcp:secretmanager/getSecretVersionAccess:getSecretVersionAccess: 1 error occurred:
     	* Error retrieving available secret manager secret version access: Get "<https://secretmanager.googleapis.com/v1/projects/MYPROJECT/secrets/KEY/versions/latest:access?alt=json>": oauth2/google: status code 403: {
       "error": {
         "code": 403,
         "message": "Permission 'iam.serviceAccounts.getAccessToken' denied on resource (or it may not exist).",
         "status": "PERMISSION_DENIED",
         "details": [
           {
             "@type": "<http://type.googleapis.com/google.rpc.ErrorInfo|type.googleapis.com/google.rpc.ErrorInfo>",
             "reason": "IAM_PERMISSION_DENIED",
             "domain": "<http://iam.googleapis.com|iam.googleapis.com>",
             "metadata": {
               "permission": "iam.serviceAccounts.getAccessToken"
             }
           }
         ]
       }
     }

Hi Kenji, can you confirm you've granted the IAM permissions required? From the error, it appears

iam.serviceAccounts.getAccessToken

is missing.