Managing GCP infrastructure with Terraform is an uphill battle, especially if you are not familiar with any other cloud, and how they work. So, here’s my error of the week that I got while trying to bind some service account to a predefined role: googleapi Error 400: Unparseable iamMember.
Prerequisites
- GCP account
- Terraform
Solution
First, it’s kinda obvious to make sure you are passing the iamMember name right. So, in case you are working with SAs (service accounts) you’ll probably have something like the following code block on your end, as an example:
resource "google_project_iam_member" "project_editor" {
project = "${local.project_name}-${random_integer.preprod.id}"
role = "roles/editor"
member = "serviceAccount:${module.preprod.project_sa_email}"
}
Of course, I’m not saying to assign a project editor role to a service account, but assure that SAs always start with serviceAccount:, followed by the SA’s email address: <service_account_name>@<project_name>.iam.gserviceaccount.com.
However, if you are dealing with users, use user:<email_address_here> instead. For instance:
resource "google_project_iam_member" "network_admin" {
project = "${local.project_name}-${random_integer.preprod.id}"
role = "roles/compute.networkAdmin"
member = "user:${devcoopsautomation@devcoops.com}"
}
Conclusion
If you get stuck at some step, feel free to leave a comment below and if you find this tutorial useful, follow our official channel on Telegram.