CryptoKeyIAMBinding fails for service-*@compute-system.iam.gserviceaccount.com

[demon]

What happened?

I was trying to create a CMEK to use with GKE for boot disk encryption. Per the docs here, the service account required is in the form of service-PROJECT_NUMBER@compute-system.iam.gserviceaccount.com. Trying to use CryptoKeyIAMBinding fails with the following:

Error setting IAM policy for KMS CryptoKey "<REDACTED>": googleapi: Error 400: The member serviceaccount:service-REDACTED@compute-system.iam.gserviceaccount.com is of an unknown type. Please set a valid type prefix for the member., badRequest

Example

Here's a minimal test case:

from pulumi_gcp.kms import KeyRing, CryptoKey, CryptoKeyIAMBinding
from pulumi_gcp.organizations import get_project

keyring = KeyRing(
    "foo",
    location="global"
)
key = CryptoKey(
    "bar",
    key_ring=keyring.id,
    purpose="ENCRYPT_DECRYPT"
)
key_binding = CryptoKeyIAMBinding(
    "baz",
    crypto_key_id=key.id,
    role="roles/cloudkms.cryptoKeyEncrypterDecrypter",
    members=[
        f"serviceAccount:service-{get_project().number}@compute-system.iam.gserviceaccount.com"
    ],
)

Output of pulumi about

CLI
Version 3.104.2 Go Version go1.21.6 Go Compiler gc

Plugins NAME VERSION gcp 7.7.1 python unknown twingate 0.0.48

Host
OS darwin Version 14.3 Arch arm64

This project is written in python: executable='/opt/homebrew/bin/python3' version='3.11.7'

Current Stack: radai/k8s-clusters/aux-services

TYPE URN pulumi:pulumi:Stack urn:pulumi:aux-services::k8s-clusters::pulumi:pulumi:Stack::k8s-clusters-aux-services pulumi:providers:gcp urn:pulumi:aux-services::k8s-clusters::pulumi:providers:gcp::default radai_vab:gcp:k8s urn:pulumi:aux-services::k8s-clusters::radai_vab:gcp:k8s::aux-services pulumi:providers:pulumi urn:pulumi:aux-services::k8s-clusters::pulumi:providers:pulumi::default pulumi:pulumi:StackReference urn:pulumi:aux-services::k8s-clusters::pulumi:pulumi:StackReference::radai/vpc/aux-services pulumi:providers:gcp urn:pulumi:aux-services::k8s-clusters::pulumi:providers:gcp::default_7_7_1 gcp:pubsub/topic:Topic urn:pulumi:aux-services::k8s-clusters::gcp:pubsub/topic:Topic::gke-aux-services gcp:kms/keyRing:KeyRing urn:pulumi:aux-services::k8s-clusters::gcp:kms/keyRing:KeyRing::gke-aux-services gcp:serviceaccount/account:Account urn:pulumi:aux-services::k8s-clusters::gcp:serviceaccount/account:Account::gke-sa-aux-services gcp:kms/cryptoKey:CryptoKey urn:pulumi:aux-services::k8s-clusters::gcp:kms/cryptoKey:CryptoKey::gke-aux-services gcp:container/cluster:Cluster urn:pulumi:aux-services::k8s-clusters::gcp:container/cluster:Cluster::aux-services gcp:container/nodePool:NodePool urn:pulumi:aux-services::k8s-clusters::gcp:container/nodePool:NodePool::aux-services-default gcp:kms/cryptoKeyIAMBinding:CryptoKeyIAMBinding urn:pulumi:aux-services::k8s-clusters::gcp:kms/cryptoKeyIAMBinding:CryptoKeyIAMBinding::gke-aux-services

Found no pending operations associated with aux-services

Backend
Name pulumi.com URL https://app.pulumi.com/chadh User chadh Organizations chadh, radai Token type personal

Dependencies: NAME VERSION pip 24.0.0 pulumi_gcp 7.7.1 pulumi_twingate 0.0.48 setuptools 69.0.3 wheel 0.42.0

Pulumi locates its logs in /var/folders/5y/6y_kl3x56ld7hjg7m480d_yw0000gq/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hi @demon. I'm sorry you're hitting this. Thanks for filling a bug. I can cleanly reproduce.

From the error message, it looks like serviceAccount is being downcased to serviceaccount by the provider, and then unrecognized.

[demon]

Yeah that was what I noticed. Weirdly enough, CrytpoKeyIAMMember works just fine (and sufficed as a workaround for me at the moment)