I am experiencing a persistent platform inconsistency issue in my project (PII Removed by Staff).
1. Eventarc trigger is not firing: I have an Eventarc trigger configured to invoke a Cloud Run service from a GCS bucket (google.cloud.storage.object.v1.finalized event). The configuration appears correct in the UI, but when I upload a file, the trigger does not fire (0 invocations) and the Cloud Run service is not executed.
2. Underlying IAM Error: While debugging, we found a root IAM problem. When trying to grant permissions to the Document AI Service Agent, the API returns a 400: Service account does not exist error, even though the gcloud beta services identity create command confirms the service agent’s creation just seconds before. This is the command sequence:
Command 2 (Fails):gcloud storage buckets add-iam-policy-binding gs://[BUCKET_NAME] --member=(PII Removed by Staff) --role="roles/storage.objectViewer"Output:ERROR: ... Service account ... does not exist.
We have ruled out propagation delay (waited >15 mins), organization policies (iam.allowedPolicyMemberDomains is inactive), and user permission issues (user is Owner).
We suspect a fundamental IAM replication/state issue for service agents in this project is causing both the IAM binding to fail and the Eventarc trigger to fail silently.
Can anyone suggest a workaround or has anyone seen this specific IAM inconsistency before?
Try validating if the service agent’s creation was successful by checking it via the IAM console. Please note that you need to enable the ‘Include Google-provided role grants’ option to display it, as it is not listed in the console by default. Once you’ve verified the existence of the service agent, you can also grant the specific role through the Cloud Console. For complete details, refer to this documentation. Additionally, kindly note that triggering a service agent creation is currently in preview, which means it may not yet offer the expected quality, may have bugs or unexpected behaviors, and might have limited support.
Though you mentioned that the configuration appears correct in the UI, the documentation and guide below might be helpful in understanding why your Eventarc trigger is not firing. This includes proper configuration steps and troubleshooting tips:
Hi marckevin, thank you so much for your reply. This is extremely helpful.
We have already tried to verify the service agent’s existence in the IAM console. The core problem is that we cannot grant it roles. When we use the UI or the gcloud storage buckets add-iam-policy-binding command, we get a 400: Service account does not exist error, even immediately after the gcloud beta services identity create command confirms it was created.
Your comment that the service agent creation is a Preview feature is the key. This explains the inconsistent behavior we are seeing. Given this, it seems the issue is a platform-level bug related to this Preview feature for my specific project.
Is there any known workaround for this Preview feature’s instability, or is the only solution to wait for it to become Generally Available (GA)? Can this issue be escalated internally to the product team?