Reputation: 4120
Error applying IAM policy for service account in Pulumi
I am trying to create a service account and assign roles, and it fails.
p, err := serviceaccount.NewAccount(ctx, "prom-frontend",
&serviceaccount.AccountArgs{
AccountId: pulumi.String("prom-frontend"),
DisplayName: pulumi.String("prom-frontend"),
Project: pulumi.String(c.Project),
})
if err != nil {
return err
}
// create Project Iam policy binding for the service account to the role roles/storage.admin
_, err = serviceaccount.NewIAMBinding(ctx, "foo-bar-iam-binding", &serviceaccount.IAMBindingArgs{
Role: pulumi.String("roles/storage.admin"),
Members: pulumi.StringArray{
pulumi.String("serviceAccount:[email protected]"),
},
ServiceAccountId: p.Name,
})
if err != nil {
return err
}
This is error I am getting from GCP
Error applying IAM policy for service account 'projects/endor-experiments/serviceAccounts/[email protected]': Error setting IAM policy for service account 'projects/experiments/serviceAccounts/[email protected]': googleapi: Error 400: Role roles/storage.admin is not supported for this resource., badRequest
How do I solve this issue?
Upvotes: 1
Views: 600
Answers (1)
Reputation: 81454
You are trying to modify the service account's IAM policy. A service account does not provide cloud storage services, therefore a storage-related IAM role is not supported. That is why you see this error:
Role roles/storage.admin is not supported for this resource
If your goal is to grant permissions to an IAM member to Cloud Storage, modify the IAM policy of either the project or cloud storage.
A service account is both an identity and a resource.
As an identity, you can grant IAM roles to the service account for resources within a project/folder/organization.
As a resource, you can grant IAM roles to other identities to access the service account (e.g. create tokens).
Upvotes: 2
Related Questions
- GCP IAM: Binding role to Service Account fails
- gcloud iam service-accounts add-iam-policy-binding ... NOT_FOUND: Unknown service account
- Unable to add iam policy binding to service account using Google deployment manager
- GCP service Account Authentication
- How to add IAM policy binding to a service account using Google Cloud Deployment Manager?
- Custom IAM policy binding for a custom service account in GCP
- Google Cloud Policy Troubleshooter says service account doesn't have permissions despite being assigned in IAM
- GCP-IAM - How to grant access to all service account in organization?
- iam.serviceAccounts.getIamPolicy is required to perform this operation on service account
- How to set service account permission from IAM api