Hi! I am trying to follow the instructions here: https://cloud.google.com/bigquery/docs/customer-managed-encryption#console_1 for KMS with Big Query. It says to get the default SA and give it the Cloud KMS CryptoKey Encrypter/Decrypter role. I try to do that like this:

const bqSa = gcp.bigquery.getDefaultServiceAccount({});

const keySaUser = new gcp.serviceaccount.IAMMember("key_sa_user", {
    serviceAccountId: bqSa.then(bqSa => `projects/${bqSa.project}/serviceAccounts/${bqSa.id}`),
    role: "roles/cloudkms.cryptoKeyEncrypterDecrypter",
    member: bqSa.then(bqSa => `serviceAccount:${bqSa.email}`),
});

but I get this error:

error:   sdk-v2/provider2.go:385: sdk.helper_schema: Error retrieving IAM policy for service account 'projects/client/serviceAccounts/bq-XXXX@bigquery-encryption.iam.gserviceaccount.com': googleapi: Error 404: Service account projects/client/serviceAccounts/bq-XXXX@bigquery-encryption.iam.gserviceaccount.com does not exist., notFound: provider=google-beta@7.37.0

When I do that same action in the console, it succeeds. Any idea what I am doing wrong?

If you have just enabled the API, it is entirely possible that Service Agent account has not been created yet. https://cloud.google.com/iam/docs/service-agents see: gcp.projects.ServiceIdentity