# python


04/07/2021, 3:08 PM
hello guys. maybe someone here can give me a hand on this one ? I have some code to create service accounts in GCP and bind this accounts to some roles using IAMBindings my issue is that every time I run pulumi up, pulumi updates the service account rolebindings. I guess this is caused by the for loop I am using to create them ? this is my code:
Copy code
serviceAccounts = [
    ("droneci", "droneci", "Drone Service Account", ["roles/storage.admin"]),
        "Spinnaker Service Account",

def bindToRole(name: str, sa: Account, args: Optional[dict] = None):
    """Given a GCP IAM Service Account and a list of roles, create a IAMBinginh between them."""
    for i, role in enumerate(args["roles"]):
            members=[ email: f"serviceAccount:{email}")],

for saName, saId, saDesc, saRoles in serviceAccounts:
    sa = Account(
        saName, project=conf.get("project"), account_id=saId, display_name=saDesc
        f"{saName}-roleBinding", sa, {"project": conf.get("project"), "roles": saRoles}
    saKey = util.createServiceAccountKey(f"{saName}-key", sa)
    export(name=f"{saName}-serviceAccount-key", value=saKey)
    export(name=f"{saName}-serviceAccount-secret", value=util.clientSecret(saKey))
and this is an example of the changes it trys to make every time I run this:
Copy code
~ gcp:projects/iAMBinding:IAMBinding: (refresh)
        [provider=urn:pulumi:dev::my stack::pulumi:providers:gcp::default_4_17_0::620feff3-c68d-4f3f-b35d-715c080f8b7d]
      ~ etag     : "BwW/YsjdngI=" => "BwW/YucGdm0="
      ~ members  : [
          ~ [0]: "" => ""
any idea why this might be happening ?


04/20/2021, 12:29 PM
IAMBinding is a configuration you do once and it will overwrite the role members, so every time you run a binding against a role with a different set of members you're overwriting your IAM configuration. I recommend you either pass the entire list of service accounts to each role in an IAMBinding, or totally change IAMBinding to IAMMember and pass one member at a time.
This is what Authoritative and Non-Authoritative mean in the documentation, I think
I had this issue yesterday, and changed everything to IAMMember