👋 I'm trying to set up a Workload Identity Provider for GitHub Actions and I'm almost there but I'm having trouble with the SA IAMMember section, this is my code:

const workloadIdentityPool = new gcp.iam.WorkloadIdentityPool('github-actions-pool', {
  workloadIdentityPoolId: 'github-actions-pool',
  displayName: 'GitHub Workload Identity Pool',
  description: 'GitHub Workload Identity Pool',
})

// Create a Workload Identity Provider
const workloadIdentityProvider = new gcp.iam.WorkloadIdentityPoolProvider('github-actions-provider', {
  workloadIdentityPoolId: workloadIdentityPool.workloadIdentityPoolId,
  workloadIdentityPoolProviderId: 'github-actions-provider',
  displayName: 'GitHub Identity Pool Provider',
  description: 'GitHub Identity Pool Provider',
  oidc: {
    issuerUri: '<https://token.actions.githubusercontent.com>',
  },
  attributeMapping: {
    'google.subject': 'assertion.sub',
    'attribute.actor': 'assertion.actor',
    'attribute.repository': 'assertion.repository',
    'attribute.repository_owner': 'assertion.repository_owner',
  },
  attributeCondition: `assertion.repository_owner == 'my-gh-org'`,
})

so far so good, this is the one that is giving me a headache

// Grant the Workload Identity Pool access to impersonate the Service Account
new gcp.serviceaccount.IAMMember('github-actions-sa-iam', {
  serviceAccountId: pulumi.interpolate`projects/${project-id}/serviceAccounts/${serviceAccount.email}`,
  role: 'roles/iam.workloadIdentityUser',
  member: pulumi.interpolate`<principalSet://iam.googleapis.com/projects/${project-id}/locations/global/workloadIdentityPools/${workloadIdentityPool.workloadIdentityPoolId}/attribute.repository_owner/my-gh-org>`,
})

Anyone has done this before? Between the errors I had these are 2 of them

sdk-v2/provider2.go:515: sdk.helper_schema: Error applying IAM policy for service account 'projects/my-project/serviceAccounts/github-actions-sa@my-project.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/my-project/serviceAccounts/github-actions-sa@replay-gaming.iam.gserviceaccount.com': googleapi: Error 400: Invalid principalSet member (<principalSet://iam.googleapis.com/projects/my-project/locations/global/workloadIdentityPools/projects/my-project/locations/global/workloadIdentityPools/github-actions-pool/attribute.repository_owner/my-gh-org>)., badRequest: provider=google-beta@8.13.1


sdk-v2/provider2.go:515: sdk.helper_schema: Error retrieving IAM policy for service account 'projects/project-id/serviceAccounts/github-actions-sa@my-project.iam.gserviceaccount.com': googleapi: Error 403: Permission 'iam.serviceAccounts.getIamPolicy' denied on resource (or it may not exist).

If I use the project name, I have the 1st error, if I use the project unique ID, I have 403. I'm trying to convert this guide into IaC https://roger-that-dev.medium.com/push-code-with-github-actions-to-google-clouds-artifact-registry-60d256f8072f even though it is true that I haven't applied any IAM policy to the registries yet as I'm not sure if I need them or what.