IAM Bindings Failing for Service Management Role

[allisonis]

When attempting to create a project level role bindings with the roles/servicemanagement.serviceConsumer role, the GCP secrets backend returns the following error:

could not write to vault Error making API request.

URL: PUT https:/<vaullt_server>/v1/gcp/roleset/<roleset_name>
Code: 400. Errors:

* unable to set policy: googleapi: Error 400: Role (roles/servicemanagement.serviceConsumer) does not exist in the resource's hierarchy.

Roleset binding:

    "bindings": "resource \"\/\/cloudresourcemanager.googleapis.com/projects/<project_id>\" {\r\n  roles = [\r\n    \"roles\/servicemanagement.serviceConsumer\"]\r\n}"

This error indicates that the roles/servicemanagement.serviceConsumer cannot be set in the project IAM policy.

The error in StackDriver when the SetIamPolicy method is invoked results in an invalid argument error.

  status: {
   code: 3    
   message: "INVALID_ARGUMENT"    
  }
 }

The binding successfully is applied to the Vault managed service account manually and indicates the role is supported for project level bindings.

[watacroft]

Having the same error, same policy. Only I'm trying to bing a whole domain to the role.