No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I just saw on <https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/google_project_iam_custom_role|the terraform site> that roleId cannot contain dash characters `-` ...

I changed my roleId to be camel case and now getting a new error:

```Error 403: You don't have permission to get the role at organizations/&lt;my-org-id&gt;/roles/&lt;myRoleName&gt;```

I fixed the permissions issue by making myself the owner of my organisation. Not sure what the role would include the relevant IAM permissions, but it's just me working on it, so no concerns there.

An update on Service Account permissions for anyone watching.

My understanding of roles, permissions and access to resources wasn't quite right.

Instead of adding a role to the service account, I ended up granting access via resource policies to allow the service account access to the things it needs.

Code looks like this:

```const policyTopic = new gcp.pubsub.TopicIAMMember("policy-topic-abc", {
  member: emailOfServiceAcct,
  topic: myTopic.name,
  role: "roles/pubsub.publisher",
});

const policyBucket = new gcp.storage.BucketIAMMember("policy-bucket-abc", {
  member: emailOfServiceAcct,
  bucket: myBucket.name,
  role: "roles/storage.admin",
});```