google storage transfer service account does not exist in new project

I am trying to create resources using Terraform in a new GCP project. As part of that I want to set roles/storage.legacyBucketWriter to the Google managed service account which runs storage transfer service jobs (the pattern is project-[project-number]@storage-transfer-service.iam.gserviceaccount.com) for a specific bucket. I am using the following config:

roles/storage.legacyBucketWriter

project-[project-number]@storage-transfer-service.iam.gserviceaccount.com

resource "google_storage_bucket_iam_binding" "publisher_bucket_binding"
bucket = "$google_storage_bucket.bucket.name"
members = ["serviceAccount:project-$var.project_number@storage-transfer-service.iam.gserviceaccount.com"]
role = "roles/storage.legacyBucketWriter"



to clarify, I want to do this so that when I create one off transfer jobs using the JSON APIs, it doesn't fail prerequisite checks.

When I run Terraform apply, I get the following:

Error applying IAM policy for Storage Bucket "bucket":
Error setting IAM policy for Storage Bucket "bucket": googleapi:
Error 400: Invalid argument, invalid


I think this is because the service account in question does not exist yet as I can not do this via the console either.

Is there any other service that I need to enable for the service account to be created?

1 Answer
1

it seems I am able to create/find the service account once I run this:

https://cloud.google.com/storage/transfer/reference/rest/v1/googleServiceAccounts/get

for my project to get the email address.

not sure if this is the best way but it works..

Required, but never shown

Required, but never shown

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.