Read default service agent in google cloud using terraform

I’m working with secret manager and kms using terraform. When I’m trying to deploy resource using terraform, it is showing me error like Error: Error applying IAM policy for KMS cryptokey "project/project_id/location/us-west1/KeyRing/xyz/cryptoKey/primary": Service account service-project_number@gcp-sa-secretmanager.iam.gserviceaccount.com does not exist.

how can I read default Service agent for secret manager using terraform?

Two possible things here

  • Make sure the API is enabled (and I would also suggest looking in the IAM panel in GCP, unchecking the box to make sure that you can see the google managed IAM members not in your account, which might help you verify that the account is there and what its name is).
  • Confusingly / annoyingly, you can’t use a data resource to retrieve these Google service accounts. but you can use the google_project_service_identity _resource` if you want… see some details here. It is often easier just to construct the account ID vs. doing it this way.