Channels
#python
Title
# python
l
little-photographer-14867
03/16/2022, 12:06 AMHi folks đź‘‹ , I'm new to pulumi and trying to create a GCP artifact registry with an IAMBinding. Something like:
Copy code
read_sa = serviceaccount.Account(
"read-sa",
account_id="read-sa",
display_name="Read Service Account"
)
py_repo = artifactregistry.Repository(
"pypi-repo",
location="us-west1",
repository_id="pypi-repo",
description="python pacakges.",
format="PYTHON",
)
read_binding = artifactregistry.RepositoryIamBinding(
"read-binding",
project=py_repo.project,
location=py_repo.location,
repository=py_repo.name,
role="roles/artifactregistry.reader",
members=[
f"serviceAccount:{read_sa.email}",
],
) Copy code
gcp:artifactregistry:RepositoryIamBinding (read-binding):
error: 1 error occurred:
* Error applying IAM policy for artifactregistry repository "projects/test-project/locations/us-west1/repositories/pypi-repo": Error setting IAM policy for artifactregistry repository "projects/test-project/locations/us-west1/repositories/pypi-repo": googleapi: Error 400: Invalid service account (<pulumi.output.Output object at 0x7f7f53ff7f10>).membersp
prehistoric-activity-61023
03/16/2022, 8:07 AMyeah, members are not constructed properly
If
read_sa.emailstrpulumi.Output[str]membersIn order to manipulate
Output Copy code
members = [
read_sa.email.apply(lambda email: f"serviceAccount:{email}"),
] Copy code
members = [
pulumi.Output.concat("serviceAccount:", read_sa.email),
]Why? Reason is quite simple. This value is lazy evaluated and comes from a resource previously created so you have to have some kind of synchronization within the code. If you use the value directly (like you did with
py_repo.namel
little-photographer-14867
03/16/2022, 2:58 PMthat makes sense! Thanks @prehistoric-activity-61023!
2 Views