Service account created from a sink cannot be found

Question

I'm creating a sink by running the following command (as an organization administrator):

gcloud logging sinks create vpc_flow_sink storage.googleapis.com/<storage_bucket_name> --include-children --organization=<organization_id> --log-filter="resource.type="gce_subnetwork" AND logName:"logs/compute.googleapis.com%2Fvpc_flows""

The command executes successfully and outputs the following text:

Created [https://logging.googleapis.com/v2/organizations/<organization_id>/sinks/<sink_name>].
Please remember to grant serviceAccount:o<organization_id>[email protected] the Storage Object Creator role on the bucket.

However, when I go to actually apply the permission to the storage bucket, I cannot find this account (in either the project or within the organization). The accounts also do not appear when I run:

gcloud organizations get-iam-policy <organization_id>

When I describe the sink, the service account exists within the writerIdentity field:

gcloud beta logging sinks describe vpc_flow_sink --organization <organization_id>
...
writerIdentity: serviceAccount:o<organization_id>[email protected]
...

For reference, to try debug this issue, I've attached the following roles: Organization Role Administrator, Logging Admin, Owner, Project Owner, Organization Administrator, Storage Admin.

I am genuinely lost on what to do, how do I go about granting the bucket the role to this account?

Answer 1

When applying the permission to you export destination, don't copy:

serviceAccount:o<organization_id>[email protected]

but instead just use everything after serviceAccount:

o<organization_id>[email protected]...

Google will then recognize the service account. However, I still cannot detect it via gcloud organizations get-iam-policy <organization_id>