Defining service account for nodes in Autopilot GKE cluster not working

Question - When creating an Autopilot gke cluster, how can we define a service account for the nodes? We’ve specified a custom service account in our Terraform as such:

        service_account = "my_sa@ ..."
    }```


However, when we look at the resulting GKE cluster the default SA is used instead of the custom one. There's been several opened issues regarding this and none of workarounds have worked for me. e,g, <https://github.com/hashicorp/terraform-provider-google/issues/9505>

i’ve tried specifying as such:

        enabled = true
        auto_provisioning_defaults {
            service_account = ""
        }
    }```


yet i get this error: Error: googleapi: Error 400: Overriding Autopilot autoscaling settings is not allowed.

Maybe try too?
I’ve never used autopilot, but from what I can see from https://github.com/GoogleCloudPlatform/magic-modules/pull/6733 you’re supposed to not set it in node_config, and then set the SA you’d like to use in the cluster_autoscaling settings?

in your example above, do you have a literal "" in auto_provisioning_defaults.service_account, or did you just remove the value when posting it here?

(I would also use a reference when actually defining this in a terraform config, like

  account_id   = "autopilot"
  project      = var.project
  display_name = "Autopilot Service Account"
}
resource "google_container_cluster" "autopilot" {
  name = "autopilot-cluster"
  enable_autopilot = true
  [...]
  cluster_autoscaling {
    auto_provisioning_defaults {
      service_account = resource.google_service_account.autopilot.email
      oauth_scopes = ["<https://www.googleapis.com/auth/cloud-platform>"]
    }
  }
}```

that worked for me, thanks!

also great handle name!

so the reason it was giving me a 401 it was because Tf was trying to update an existing cluster. You can see google docs about that here: https://cloud.google.com/knowledge/kb/cannot-update-a-default-service-account-000010385

I destroyed it, then created it, and 401 went away.