little-photographer-14867
03/16/2022, 12:06 AMread_sa = serviceaccount.Account(
"read-sa",
account_id="read-sa",
display_name="Read Service Account"
)
py_repo = artifactregistry.Repository(
"pypi-repo",
location="us-west1",
repository_id="pypi-repo",
description="python pacakges.",
format="PYTHON",
)
read_binding = artifactregistry.RepositoryIamBinding(
"read-binding",
project=py_repo.project,
location=py_repo.location,
repository=py_repo.name,
role="roles/artifactregistry.reader",
members=[
f"serviceAccount:{read_sa.email}",
],
)
But I am getting errors:
gcp:artifactregistry:RepositoryIamBinding (read-binding):
error: 1 error occurred:
* Error applying IAM policy for artifactregistry repository "projects/test-project/locations/us-west1/repositories/pypi-repo": Error setting IAM policy for artifactregistry repository "projects/test-project/locations/us-west1/repositories/pypi-repo": googleapi: Error 400: Invalid service account (<pulumi.output.Output object at 0x7f7f53ff7f10>).
Am I defining the members
arg properly, or correct in using the service account email in an f-string? Mostly following this ts example.prehistoric-activity-61023
03/16/2022, 8:07 AMread_sa.email
was a normal str
that would work (f-string interpolation) but it’s actually pulumi.Output[str]
. Try to see the details while trying to apply these changes, you should see “maltformed” members
array.Output
types, you have to either use `apply`:
members = [
read_sa.email.apply(lambda email: f"serviceAccount:{email}"),
]
or `concat`:
members = [
pulumi.Output.concat("serviceAccount:", read_sa.email),
]
py_repo.name
), there’s no need for additional “magic” - pulumi handles that automatically. However, it will break, if you do some string concatenation (using f-string or even plus sign).little-photographer-14867
03/16/2022, 2:58 PM