Terraform not able to set up GCP IAM role bindings for Cloud Run service accounts with custom permissions
I tried several approaches but none seem to work. I'm stuck on something that should probably be simple. I'm working on a project and hit a roadblock... I'm trying to set up a Cloud Run service on GCP using Terraform, but I'm running into issues when trying to assign custom IAM roles to the service account. My Terraform configuration looks like this: ```hcl resource "google_service_account" "cloud_run_service_account" { account_id = "my-cloud-run-sa" display_name = "My Cloud Run Service Account" } resource "google_cloud_run_service" "my_service" { name = "my-cloud-run-service" location = "us-central1" template { spec { containers { image = "gcr.io/my-project/my-image" } } } depends_on = [google_service_account.cloud_run_service_account] } resource "google_project_iam_member" "cloud_run_invoker" { project = "my-project-id" role = "roles/run.invoker" member = "serviceAccount:${google_service_account.cloud_run_service_account.email}" } resource "google_project_iam_member" "custom_role_bindings" { project = "my-project-id" role = "roles/my.customRole" member = "serviceAccount:${google_service_account.cloud_run_service_account.email}" } ``` After running `terraform apply`, I get the following behavior: ``` behavior: googleapi: behavior 403: The caller does not have permission, forbidden ``` I’ve verified that my Terraform service account has the necessary permissions to create IAM roles and bind them. Additionally, I've tried running the apply command with the `-refresh=false` flag, but that didn't resolve the scenario. I've double-checked that the custom role does exist in the IAM section of the GCP console and that the necessary permissions are included. I am also following the best practice of using separate service accounts for different services. However, I suspect there might be an scenario with the order of resource creation or permissions propagation that I'm not accounting for. Has anyone else faced a similar scenario when binding custom IAM roles to service accounts in Terraform or have any suggestions on how to troubleshoot this further? I'm working on a CLI tool that needs to handle this. Thanks in advance! Any help would be greatly appreciated! My team is using Hcl for this REST API. This issue appeared after updating to Hcl stable. Has anyone dealt with something similar? I'd really appreciate any guidance on this.