塞蒂亚姆403禁止

resources:
- name: practice-service-account
  type: iam.v1.serviceAccount
  properties:
    displayName: practice-service-account
    projectId: {{ project }}
    accountId: practice-service-account
- name: get-iam-policy
  action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.getIamPolicy'
  properties:
    resource: resources-practice {# make this environment variable #}
- name: set-iam-policy
  action: 'gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy'
  properties:
    resource: {{ project }}
    policy: $(ref.get-iam-policy)
    gcpIamPolicyPatch:
      add:
      - role: roles/viewer
        members:
        - user:email1@example.com
        - user:email2@example.com
        - user:email3@example.com

为什么在尝试创建这些IAM资源时总是遇到下面的错误?

ERROR: (gcloud.deployment-manager.deployments.update) Error in Operation [operation-1544014242908-57c45d47a0760-6a2ec217-9ee53506]: errors:
- code: RESOURCE_ERROR
  location: /deployments/infrastructure/resources/set-iam-policy
  message: '{"ResourceType":"gcp-types/cloudresourcemanager-v1:cloudresourcemanager.projects.setIamPolicy","ResourceErrorCode":"403","ResourceErrorMessage":{"code":403,"message":"The
    caller does not have permission","status":"PERMISSION_DENIED","statusMessage":"Forbidden","requestPath":"https://cloudresourcemanager.googleapis.com/v1/projects/resources-practice:setIamPolicy","httpMethod":"POST"}}'