Hey lovely community ! Can someone help me to understand this ? Let’s imagine that I have a piece of code that creates a GCP service account, a custom role (both works fine) and a IAM Binding to assign this role to this service account (this one fails) Here is my IAM binding call

sarolebinding = gcp.projects.IAMBinding(
            f"sa-role-binding-{self.projectName}-owner",
            role=self.role,
            project=self.project.name,
            members=[f"serviceAccount:{self.service_account.email}"],
        )
        return sarolebinding

This fails with the following error

Request `Set IAM Binding for role "projects/app-burger-nonprod-wzj/roles/projectOwner" on "project \"app-burger-nonprod-wzj\""` returned error: Error applying IAM policy for project "app-burger-nonprod-wzj": Error setting IAM policy for project "app-burger-nonprod-wzj": googleapi: Error 400: Invalid service account (<pulumi.output.Output object at 0x7fbf29648640>)., badRequest

Looks like the service_account.email field is wrong. How can I refer to the email of the newly created service account and use it as the value of the members arguments ? Thanks for reading, have a nice day.

It looks like that field only takes a plain string, so you'd have to create the resource inside an apply

Hey thanks for answering, hum, sorry not sure I got this, do you mean something like saving the value in a string somewhere out of this function and referencing the string as the member value ?

No, are you familiar with Pulumi’s Input/output model? https://www.pulumi.com/docs/intro/concepts/inputs-outputs/ https://leebriggs.co.uk/blog/2021/05/09/pulumi-apply.html

not sot much, this chapter of the docs is something a bit challenging for me but looks like I will need to check it 😅 Thanks for the links will check them out.

Hopefully that blog post will help

it helps, i think. Will have to try things out but think I understood the idea. As the resources is not yet ready I cannot get the SA email and use it somewhere else so i need to use the apply() to somehow wait that the value is ready to be able to use it in other piece of code, right ?

Yes that's right. For most resources, you don't need to do that because you can pass an output directly to a property and it'll build a graph of dependencies. However this resource requires JSON which is built using a non input type string, so you need to resolve the output, build the JSON inside an apply once the value has resolved and then create the dependent resource

Will be a bit challenging for a non dev like me 😅😄. But will try some of those things out. Thanks for the support.