Error applying IAM policy for service account in Pulumi

I am trying to create a service account and assign roles, and it fails.

p, err := serviceaccount.NewAccount(ctx, "prom-frontend",
		&serviceaccount.AccountArgs{
			AccountId:   pulumi.String("prom-frontend"),
			DisplayName: pulumi.String("prom-frontend"),
			Project:     pulumi.String(c.Project),
		})
	if err != nil {
		return err
	}

	// create Project Iam policy binding for the service account to the role roles/storage.admin
	_, err = serviceaccount.NewIAMBinding(ctx, "foo-bar-iam-binding", &serviceaccount.IAMBindingArgs{
		Role: pulumi.String("roles/storage.admin"),
		Members: pulumi.StringArray{
			pulumi.String("serviceAccount:prom-frontend@experiments.iam.gserviceaccount.com"),
		},
		ServiceAccountId: p.Name,
	})
	if err != nil {
		return err
	}

This is error I am getting from GCP

>Error applying IAM policy for service account 'projects/endor-experiments/serviceAccounts/prom-frontend@xperiments.iam.gserviceaccount.com': Error setting IAM policy for service account 'projects/experiments/serviceAccounts/prom-frontend@experiments.iam.gserviceaccount.com': googleapi: Error 400: Role roles/storage.admin is not supported for this resource., badRequest

How do I solve this issue?

You are trying to modify the service account's IAM policy. A service account does not provide cloud storage services, therefore a storage-related IAM role is not supported. That is why you see this error:

Role roles/storage.admin is not supported for this resource

If your goal is to grant permissions to an IAM member to Cloud Storage, modify the IAM policy of either the project or cloud storage.

A service account is both an identity and a resource.

As an identity, you can grant IAM roles to the service account for resources within a project/folder/organization.

As a resource, you can grant IAM roles to other identities to access the service account (e.g. create tokens).