service account gap

sa.ts

const saApiAdmin = new gcp.serviceaccount.Account(`sa-apiadmin-${projectEnv}`, {
      accountId: `sa-apiadmin-${projectEnv}`,
      displayName: `A service account used for bucket access for API`,
});
  

const storageRWRole = new gcp.projects.IAMCustomRole(`role-api-storage-rw-${projectEnv}`, {
      description: "Bucket/pubsub read write role",
      permissions: [
          "storage.objects.create",
          "storage.objects.list",
          "storage.objects.get",
          "storage.objects.update",
          "storage.multipartUploads.create",
          "storage.multipartUploads.listParts",
          "storage.multipartUploads.abort",
          "resourcemanager.projects.getIamPolicy",
        
      ],
      roleId: `roleapistoragerw${projectEnv}`,
      title: `role-api-storage-rw-${projectEnv}`,
  });

const saApiAdminIam = new gcp.serviceaccount.IAMBinding("saapiadmin-account-iam", {
    serviceAccountId: saApiAdmin.name,
    role: storageRWRole.id,
    members: [pulumi.concat("serviceAccount", ":", saApiAdmin.email)],
    
});

export const saAdmin = saApiAdmin.email;