No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Here is the identity setup:
```
const name = 'ciInfrastructure'

export const ciInfrastructure = new gcp.serviceAccount.Account(
  name,
  {
    project,
    accountId: 'ci-infrastructure',
    displayName: 'CI infrastructure account',
  },
  { protect },
)

bindToIAMRole(`${name}ClusterAdmin`, ciInfrastructure, {
  project,
  role: 'roles/container.clusterAdmin',
})
// for deploying cluster-wide resources e.g. traefik, cert-manager
bindToIAMRole(`${name}ContainerDeveloper`, ciInfrastructure, {
  project,
  role: 'roles/container.developer',
})
```

I thought since I can use the `ci-infrastructure` gcp service account/identity to create the cluster, that I’ll be able to create a clusterRoleBinding, but so far cannot.

<https://cloud.google.com/kubernetes-engine/docs/how-to/iam>

I’m going to go back and try with `roles/container.admin`, using `container.clusterAdmin` and `container.developer` may not be enough

changing the gcp IAM role to `'roles/container.admin'` solved it

<@UGA82D0RX> not an expert but that seems to be a lack of permissions error