https://pulumi.com logo
#python
Title
# python
g

gorgeous-lifeguard-69736

06/18/2021, 11:34 AM
Hi, how can I assign a role to a gcp service account? I tried the below but it fails with
Copy code
gcp:serviceAccount:IAMMember (log-writer-iam):
  error: 1 error occurred:
        * Error applying IAM policy for service account 'projects/secret-stash-stadium/serviceAccounts/web-sa@secret-stash-stadium.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/secret-stash-stadium/serviceAccounts/web-sa@secret-stash-stadium.iam.gserviceaccount.com': googleapi: Error 400: Invalid service account (<pulumi.output.output object at 0x10c8f3310>)., badRequest
What am I doing wrong?
Copy code
sa = serviceaccount.Account(
        resource_name="sa",
        account_id="web-sa",
    )

    log_writer_iam = serviceaccount.IAMMember(
        resource_name="log-writer-iam",
        member=f"serviceAccount:{sa.email}",
        role="roles/logging.logWriter",
        service_account_id=sa.name,
    )
s

shy-bird-55689

06/18/2021, 11:39 AM
hey ya, try this
Copy code
sa = serviceaccount.Account(
    resource_name="sa",
    account_id="web-sa",
)
log_writer_iam = serviceaccount.IAMMember(
    resource_name="log-writer-iam",
    member=sa.email.apply(lambda email: f"serviceAccount:{email}"),
    role="roles/logging.logWriter",
    service_account_id=sa.name,
)
g

gorgeous-lifeguard-69736

06/18/2021, 11:40 AM
Thanks for the reply! Nope, same error.
s

shy-bird-55689

06/18/2021, 11:44 AM
ah, im only just starting to get my head round accessing outputs myself. I was part this post via someone at pulumi yesterday which was useful https://www.leebriggs.co.uk/blog/2021/05/09/pulumi-apply.html
n

nutritious-shampoo-16116

06/18/2021, 6:36 PM
It's probably the f string thing, try pulumi.Output.concat('serviceAccount:', sa.email)
g

gorgeous-lifeguard-69736

06/19/2021, 8:55 PM
none of this works, tried fstring, tried apply, tried concat
And I gave up
3 Views