No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Solved the secret creation, the role binding problem still persists though

```js
const secret = serviceAccountKey.apply(key =&gt; {
  return pulumi.all([key.privateKey]).apply(([privateKey]) =&gt; {
    return new k8s.core.v1.Secret("kaniko-secret", {
      type: "generic",
      metadata: { name: "kaniko-secret" },
      stringData: {
        "kaniko-secret": Buffer.from(privateKey, "base64").toString("utf8")
      }
    });
  });
});

```

1. you don’t have to construct the serviceAccountId manually. it’s actually exposed on the serviceAccount as `serviceAccount.accountId` . That saves you from having unwrap all the properties like project and email from the serviceAccount.
2. I recommend using IAMMember over iam policy or binding, since the the latter two may cause weird surprises when you assign the same role in other parts of your code or via the cloud console
3. IAMBinding has no property `serviceAccountId` - why are you putting it there?
4. Use TypesScript - saves you from mistakes like the one at 3. :stuck_out_tongue:

5. You have to use the resources from the `gcp.projects` namespace. I.e. `gcp.projects.IAMMember` or `gcp.projects.IAMBinding`. The binding / member resources in the `gcp.serviceAccount` namespace are to grant a service account (A) or user (B) the permissions to *use*/assume another service account (C). This is also described in the docs: <https://pulumi.io/reference/pkg/nodejs/@pulumi/gcp/serviceAccount/#IAMMember>

<@UCPSHLVC4> Awesome, thanks for the hint. Using `gcp.projects.IAMMember` works like a charm.

Just one thing, when using `serviceAccount.accountId` as the value for the `serviceAccountId` property on the `gcp.serviceAccount.Key` class terraform throws an error stating `project: required field is not set`.

Using `serviceAccount.name` instead works, e.g.

```ts
const serviceAccount = new gcp.serviceAccount.Account(
  "kaniko-service-account",
  {
    accountId: config.iam.serviceAccountName,
    displayName: config.iam.serviceAccountName,
    project: globalConfig.gcloud.projectId
  }
);

const serviceAccountKey = new gcp.serviceAccount.Key(
  `kaniko-service-account-key`,
  {
    // Using serviceAccount.accountId results in an error would be thrown stating `project: required field is not set`
    serviceAccountId: serviceAccount.name
  }
);
```