curved-alligator-54130
11/03/2020, 3:51 AMbucket = storage.Bucket(resource_name=bucket_name,
location="us-central1")
sink = logging.OrganizationSink("resource-ops-sink",
destination=Output.concat("<http://storage.googleapis.com/|storage.googleapis.com/>", bucket.id),
filter="logName:activity",
include_children=True,
org_id=org)
What I can't determine now is how to grant the write permissions to the bucket for service account used on the sink (writer_identity).
I've been trying IAMBinding and IAMMember (each separately). However I get errors when it runs.
member = serviceaccount.IAMMember(
member=sink.writer_identity,
resource_name="log_writer",
role="roles/storage.objectCreator",
service_account_id=sink.writer_identity)
Diagnostics:
gcp:serviceAccount:IAMMember (service-account-role-member):
error: gcp:serviceAccount/iAMMember:IAMMember resource 'log-writer' has a problem: "service_account_id" ("serviceAccount:o976583563296-639776@gcp-sa-logging.iam.gserviceaccount.com") doesn't match regexp "projects/(?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?)|-)/serviceAccounts/((?:(?:[-a-z0-9]{1,63}\\.)*(?:[a-z](?:[-a-z0-9]{0,61}[a-z0-9])?):)?(?:[0-9]{1,19}|(?:[a-z0-9](?:[-a-z0-9]{0,61}[a-z0-9])?))@[a-z]+.<http://gserviceaccount.com|gserviceaccount.com>$|[0-9]{1,20}-compute@developer.gserviceaccount.com|[a-z](?:[-a-z0-9]{4,28}[a-z0-9])@[-a-z0-9\\.]{1,63}\\.iam\\.gserviceaccount\\.com$)"
With Terraform I would only be providing the role and the member. I'm at a loss on this as to whether 1) am Im using the correct Pulumi object (IAMMember) and 2) why I'm getting the regex error on the resource_name attribute.
I appreciate any assistance. Thanks.