https://pulumi.com logo
#google-cloud
Title
# google-cloud
b

big-account-56668

10/30/2020, 10:12 AM
I've created a service account using
serviceaccount.NewAccount
(in Go) and am trying to assign a role,
roles/logging.logWriter
, to the account so that it can be used by an external service that writes logs. I'm using the
projects.IAMMember
resource to achieve this. I'm getting the following error.
Copy code
gcp:projects:IAMMember (<name>):
    error: Request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" returned error: Batch request and retried single request "Create IAM Members roles/logging.logWriter serviceAccount:projects/<project>/serviceAccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> for \"project \\\"<project>\\\"\"" both failed. Final error: Error applying IAM policy for project "<project>": Error setting IAM policy for project "<project>": googleapi: Error 400: Service account projects/<project>/serviceaccounts/<account>@<project>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com> does not exist., badRequest
The service account is definitely present as I can see it in the console, and I've now retried 24 hours later to exclude an eventual consistency issue for the newly created service account, but I'm still getting the same message. Any suggestions on what to try next?
g

green-school-95910

10/30/2020, 6:34 PM
You are using
serviceAccount:[full name of the account]
you should do
serviceAccount:[account email]
Without the
projects/<project>/serviceAccounts/
prefix
b

big-account-56668

11/02/2020, 9:46 AM
That was it! I was passing the
Name
attribute of the created account instead of the
Email
attribute. Thanks.