GCP updated roles for service account

Hi there,

I am struggling to understand why when I run this command

gcloud projects add-iam-policy-binding (PROJECT_ID) \ --member="serviceAccount:(SERVICE_ACCOUNT)@$(PROJECT_ID).iam.gserviceaccount.com"
–role=roles/apigateway.admin

I am able to update the role for the servcue account but

this fails

resource “google_project_iam_binding” “service_account_roles” {
project = var.project
role = “roles/storage.admin”
members = [“serviceAccount:${var.service_account_id}”,]

depends_on = [google_project_service.enabled_apis]
}

Error: Request “Set IAM Binding for role “roles/storage.admin” on “project \“test-295503\””” returned error: Error applying IAM policy for project “test-295503”: Error setting IAM policy for project “test-295503”: googleapi: Error 403: Policy update access denied., forbidden

Strangely the REST API call to GCP also fails.