No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

[*RESOLVED ALREADY*]

having a bit of a time trying to write a custom role for GCP.

Granted myself pretty generous permissions which should include all I need:
```gcloud projects get-iam-policy my-project --flatten='bindings[].members' \
  --filter="kieran@my-domain.com" --format='table(bindings.role)'
ROLE
roles/cloudsql.admin
roles/cloudsql.instanceUser
roles/compute.networkAdmin
roles/iam.roleAdmin
roles/iam.serviceAccountAdmin
roles/iam.workloadIdentityPoolAdmin
roles/owner
roles/resourcemanager.projectIamAdmin
roles/secretmanager.secretAccessor
roles/servicenetworking.networksAdmin```
I then do `gcloud auth application-default login` to set my APPLICATION_DEFAULT_CREDENTIALS for pulumi to pick up on.

In my stack config I'm not doing any OAuth sign in or service account impersonation, so I'm _pretty_ sure it's using my own credentials (without gcloud login the script doesn't run at all which is a positive sign).

but my (python) code which I'm trying to give a service account permissions to give another service account lesser permissions:
```service_account = serviceaccount.Account(
    "serviceAccount",
    account_id="pulumi-oidc-sa",
    display_name="Pulumi OIDC Service Account",
)

pulumi_iam_role = projects.IAMCustomRole(
    "minDeploymentRole",
    project     = "my-project,
    role_id     = "IamMinDeployer",
    title       = "Pulumi deploy – minimal",
    description = "Minimal access to required privileges to only deploy to staging.",
    permissions = [
        "resourcemanager.projects.getIamPolicy",
        "resourcemanager.projects.setIamPolicy",
        "iam.serviceAccounts.get",
        "iam.serviceAccounts.actAs",
    ],
    stage="GA",
)

projects.IAMMember(
    "iam-min-deployer",
    project="my-project",
    role   = pulumi_iam_role.name,
    member = service_account.email.apply(
        lambda e: f"serviceAccount:{e}"
    ),
)```
Comes back with:
```
    error:   sdk-v2/provider2.go:566: sdk.helper_schema: Error creating the custom project role projects/137482643751/roles/IamMinDeployer: googleapi: Error 403: You don't have permission to create a role in projects/137482643751., forbidden: provider=google-beta@8.31.0```

Any help would be really appreciated as I'm a little stumped...

Good lord, why am I in software?...

I was providing the project number not the project ID. What I put in my code snippet wouldn't have even been a clue for anyone trying to help me because I swapped out the variable with the hardcoded value "my-project".

Please ignore me and go about your business :sweat_smile: