Deployment Manager, how to obtain google storage service account in resource file

Question

I use Deployment Manager and try to describe my resources in python files ( Deployment Manager allows to create configuration using Python or Jinja). Actually,

I use json-format for topic-resource's creating -

return
{ 
    'name': topic, 
    'type': 'pubsub.v1.topic',
    'properties': { 
        'topic': topic 
    },
    'accessControl': {
        'gcpIamPolicy': { 
            'bindings': [ 
                { 
                    'role': 
                    'roles/pubsub.publisher',
                    'members': [ 'service_account = project_name + '@gs-project-accounts.iam.gserviceaccount.com' ]
                } 
            ] 
        }  
    }
}

The format [project_name]@gs-project-accounts.iam.gserviceaccount.com worked fine several weeks ago but for new created project such service account is not found.

1. Is it correct that format of Google Cloud Storage service accounts was changed for a new created project it is failure service account ... doesn't exist? It was - [project-name]@gs-project-accounts.iam.gserviceaccount.com, and currently it is service-[projectId]@gs-project-accounts.iam.gserviceaccount.com. I check it by this API and for special new-created projects I get - this format : service-[project_Id]@gs-project-accounts.iam.gserviceaccount.com.

2. How we can fetch the google cloud storage service account dynamically in Deployment Manager config files? As I can see here there are only several environment variables like project_name, project_id, time etc. and there isn't any storage_service_account environment variable

Answer 1

The GCS service account format recently changed to the following format:

service-[PROJECT_NUMBER]@gs-project-accounts.iam.gserviceaccount.com

Existing projects will continue to work with the previous format.

For new projects, the new format will be the way moving forward.

To verify format you can get projects.serviceAccount.