(Terraform, GCP) Error 400: Role roles/run.invoker is not supported for this resource., badRequest

Question

On GCP, I'm trying to add "Service Account 2" as a member to "Service Account 1" with this Terraform code below:

resource "google_service_account" "service_account_1" {
  display_name = "Service Account 1"
  account_id   = "service-account-1"
}

resource "google_service_account" "service_account_2" {
  display_name = "Service Account 2"
  account_id   = "service-account-2"
}

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/run.invoker"

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

But I got this error below:

Error applying IAM policy for service account 'projects/myproject-173831/serviceAccounts/service-account-1@myproject-173831.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/myproject-173831/serviceAccounts/service-account-1@myproject-173831.iam.gserviceaccount.com': googleapi: Error 400: Role roles/run.invoker is not supported for this resource., badRequest

Are there any mistakes with my Terraform code?

Answer 1

Service Account doesn't support "roles/run.invoker". So of course the service account "Service Account 1" doesn't support "roles/run.invoker". Only Cloud Run supports "roles/run.invoker".

If you really want to add "Service Account 2" as a member to "Service Account 1", you can use "roles/iam.serviceAccountUser" or "roles/iam.serviceAccountAdmin".

"google_service_account_iam_binding" with "roles/iam.serviceAccountUser":

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountUser" // Here

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

"google_service_account_iam_binding" with "roles/iam.serviceAccountAdmin":

resource "google_service_account_iam_binding" "service_account_iam_binding" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountAdmin" // Here

  members = [
    "serviceAccount:${google_service_account.service_account_2.email}" 
  ]

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

In addition, you can use "google_service_account_iam_member" with "roles/iam.serviceAccountUser" or "roles/iam.serviceAccountAdmin" instead of "google_service_account_iam_binding".

"google_service_account_iam_member" with "roles/iam.serviceAccountUser":

resource "google_service_account_iam_member" "service-account-iam_member" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.service_account_2.email}"

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

"google_service_account_iam_member" with "roles/iam.serviceAccountAdmin":

resource "google_service_account_iam_member" "service-account-iam_member" {
  service_account_id = google_service_account.service_account_1.name
  role               = "roles/iam.serviceAccountAdmin"
  member             = "serviceAccount:${google_service_account.service_account_2.email}"

  depends_on = [
    google_service_account.service_account_1,
    google_service_account.service_account_2
  ]
}

Finally, you can add "Service Account 2" as a member to "Service Account 1".