No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

```package main

import (
	"<http://github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms|github.com/pulumi/pulumi-gcp/sdk/v5/go/gcp/kms>"
	"<http://github.com/pulumi/pulumi/sdk/v3/go/pulumi|github.com/pulumi/pulumi/sdk/v3/go/pulumi>"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := kms.NewCryptoKeyIAMBinding(ctx, "cryptoKey", &amp;kms.CryptoKeyIAMBindingArgs{
			CryptoKeyId: pulumi.Any(google_kms_crypto_key.Key.Id),
			Role:        pulumi.String("roles/cloudkms.cryptoKeyEncrypter"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}```
Source: <https://www.pulumi.com/registry/packages/gcp/api-docs/kms/cryptokeyiammember/>

In your case, the `Members` should point to the email of your service account id.

Well that's a -lot- smaller .Thanks again <@UK4HNFLCB>!

to be fully correct, rather than `user:&lt;userEmail&gt;`, you should have `serviceAccount:&lt;saEmail&gt;`