Unable to run terraform due to lack of permissions on custom roles

[cblecker]

As a member of k8s-infra-prow-oncall@kubernetes.io, according to https://github.com/kubernetes/k8s.io/blob/main/infra/gcp/terraform/README.md I should be able to run terraform against the k8s-infra-prow-build-trusted project.

However, when I attempt to do so I get the following error:

│ Error: Error when reading or editing Error reading IAM Role organizations/758905017065/roles/iam.serviceAccountLister: googleapi: Error 403: You don't have permission to get the role at organizations/758905017065/roles/iam.serviceAccountLister.

It looks like because this custom role is associated with resources, but I don't have permissions to iam.roles.get it at the org level, I can't run terraform. Adding myself to org admin (#6671) allowed me to do the action. It sounds like we need to either A) discontinue use of this custom role, or B) allow permissions for folks that will be running terraform to iam.roles.get details of that role

[cblecker]

cc @ameukam @upodroid @dims @BenTheElder

[BenTheElder]

The IAM roles magic is somewhat impenetrable and causing other issues like #4981

Unfortunately I don't think anyone is terribly familiar with this OR has the bandwidth to replace it (versus continuing to migrate everything to community accounts so we can all sort this out together later ...)