billowy-nightfall-59212
10/18/2022, 9:53 PMp, err := serviceaccount.NewAccount(ctx, "prom-frontend",
&serviceaccount.AccountArgs{
AccountId: pulumi.String("prom-frontend"),
DisplayName: pulumi.String("prom-frontend"),
Project: pulumi.String(c.Project),
})
if err != nil {
return err
}
// create Project Iam policy binding for the service account to the role roles/storage.admin
_, err = serviceaccount.NewIAMBinding(ctx, "foo-bar-iam-binding", &serviceaccount.IAMBindingArgs{
Role: pulumi.String("roles/storage.admin"),
Members: pulumi.StringArray{
pulumi.String("serviceAccount:prom-frontend@experiments.iam.gserviceaccount.com"),
},
ServiceAccountId: p.Name,
})
if err != nil {
return err
}
* Error applying IAM policy for service account 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com': googleapi: Error 400: Role roles/storage.admin is not supported for this resource., badRequest
bitter-winter-22829
10/21/2022, 7:44 AMroles/storage.admin
role to service account p
? And if you are trying to grant a permission to the service account(resource) using the same service account as member (identity), it is not possible. What you can do is, you can bind this role at project level using projects.NewIAMBinding
resource. It can be smtg similar to this
_, err := projects.NewIAMBinding(ctx, "foo-bar-iam-binding", &projects.IAMBindingArgs{
Members: pulumi.StringArray{
pulumi.Sprintf("serviceAccount:%s",p.Email),
},
Project: pulumi.String("your-project"),
Role: pulumi.String("roles/storage.admin"),
})