This message was deleted.

I am running into this error.

* Error applying IAM policy for service account 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com': googleapi: Error 400: Role roles/storage.admin is not supported for this resource., badRequest

Are you trying to give

roles/storage.admin

role to service account

p

? And if you are trying to grant a permission to the service account(resource) using the same service account as member (identity), it is not possible. What you can do is, you can bind this role at project level using

projects.NewIAMBinding

resource. It can be smtg similar to this

_, err := projects.NewIAMBinding(ctx, "foo-bar-iam-binding", &projects.IAMBindingArgs{
			Members: pulumi.StringArray{
				pulumi.Sprintf("serviceAccount:%s",p.Email),
			},
			Project: pulumi.String("your-project"),
			Role:    pulumi.String("roles/storage.admin"),
		})