terraform 中的 gcloud add-iam-policy-binding 相当于什么？

尝试将 cert-manager、CloudDNS 示例代码 转换为 terraform，但我无法使此代码片段与工作负载身份配合使用：

gcloud iam service-accounts add-iam-policy-binding \
    --role roles/iam.workloadIdentityUser \
    --member "serviceAccount:$PROJECT_ID.svc.id.goog[cert-manager/cert-manager]" \
    dns01-solver@$PROJECT_ID.iam.gserviceaccount.com

我已经尝试过：

resource "google_service_account_iam_binding" "dns01_solver_binding" {
  service_account_id = google_service_account.dns01_solver.name
  role               = "roles/iam.workloadIdentityUser"

  members = [
    "serviceAccount:${var.project_id}.svc.id.goog[cert-manager/cert-manager]/dns01-solver@${var.project_id}.iam.gserviceaccount.com",
  ]
}

和

resource "google_project_iam_member" "main" {
  project = var.project_id
  role    = "roles/iam.workloadIdentityUser"
  member  = "serviceAccount:${var.project_id}.svc.id.goog[cert-manager/cert-manager]/dns01-solver@${var.project_id}.iam.gserviceaccount.com"
}

不断出现错误：

│ Error: Error applying IAM policy for service account 'projects/my-project.iam/serviceAccounts/[email protected]': 
Error setting IAM policy for service account 'projects/my-project.iam/serviceAccounts/[email protected]': 
googleapi: Error 400: Invalid service account (my-project.iam.svc.id.goog[cert-manager/cert-manager]/[email protected])., badRequest

│ 
│   with google_service_account_iam_binding.dns01_solver_binding,
│   on cert-manager.tf line 47, in resource "google_service_account_iam_binding" "dns01_solver_binding":
│   47: resource "google_service_account_iam_binding" "dns01_solver_binding" {

但是如果我检查我的服务帐户选项卡，它实际上就在那里：

所需的服务帐户也存在于 cert-manager kubernetes 命名空间中：