No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

so if `"roles/iam.serviceAccountUser"` is works just fine but `"roles/workflows.invoker"` is not allowed, what is needed so the service account can  invoke a workflow?
```if (!IAM_DEV_FLAG) {
  const getIAMPolicy = ({ roles, member }: { roles: string[]; member: string }) =&gt;
    gcp.organizations.getIAMPolicy({
      bindings: roles.map((role) =&gt; ({
        members: [member],
        role,
      })),
    });

  const appIAM = appSA.member.apply((member) =&gt;
    getIAMPolicy({
      member,
      roles: [
        //"roles/run.invoker", // workflow to invoke dispatch  in cloud run via HTTP
        //"roles/workflows.invoker", // cloud scheduler to invoke the workflow
        "roles/iam.serviceAccountUser", // a role that actually works from the pulumi docs
      ],
    }).then(
      (policy) =&gt;
        new gcp.serviceaccount.IAMPolicy(kebabcase(APP_NAME + "-authz"), {
          serviceAccountId: appSA.name,
          policyData: policy.policyData,
        })
    )
  );
}```


This is something I was confused about as well - basically when you use that module you’re granting roles that have access to the service account, not roles that the service account has access to. If you want to grant invoker access across the project, you need to use one thing, and if you want to grant workflows invoker access for a specific workflow, you need to use another.

For global, you want to use `gcp.projects.IAMMember` (or `IAMPolicy`/`IAMBinding`). For the role on workflows, I’m actually not seeing anything in the `gcp.workflows` module, so not sure. That’s typically how it works though, e.g. if you want to grant roles directly on a storage bucket, you’ll be looking for IAM objects in `gcp.storage`, etc.

Thanks for the explaintion on the IAM Policy, I was definitely backwards. To invoke cloud run from the workflow I can set the IAM member.
```const invoker = new gcp.cloudrun.IamMember("invoke-by-workflow-authz", {
  location: REGION,
  project: GCP_PROJECT.name,
  service: appService.name,
  role: "roles/run.invoker",
  member: "allUsers",
});```
But that does not exist on the Workflow - apparently its a bug (half baked product, this is just the latest shortcoming).
• <https://issuetracker.google.com/issues/221402255?pli=1>
• <https://github.com/hashicorp/terraform-provider-google/issues/12914>
I think Ill just let cloud scheduler have the default service account for the project to invoke the workflow until WF has better IAM support.