do we know for sure that a 400 error always means that the account is still being provisioned or could it be another error ? I don't know where this 400 is coming from

actually, if i'm reading the internal chat thread correctly, 400 is from the chunk of code you've deleted in 281 - 302 ?

it seems like we'd want to do either of the following:

1. keep the IAM role setting, but ignore any 400 error from it and just log a warning saying:
   a) the SA is being provisioned in the background and
   b) IAM roles needed for other actions may not be ready yet.
   and I assume, at some later point when the user does need the iam roles, the CLI will attempt to set them again for the SA? in which case i feel like (b) is optional
2. OR get rid of IAM role setting (as you've done in this PR). raise any errors that come from provisioning the SA. or if no errors, we just log that the SA is being provisioned in the background.

Unfortunately it seems the IAM API errors are somewhat non-deterministic; the addServiceAccountToRoles API call will sometimes return the 400 error when the service account doesn't exist yet, causing the init flow to error out. This is what Kiana was running into.

If it is just an error due to propagation delay, we would prefer not to interrupt the init flow, so I added the logic to ignore the 400 error. However, I think it is also valid to fail out on any error in case the issue isn't related to propagation delay.

ok got it addServiceAccountToRoles is still being called in provisionDefaultComputeServiceAccount.

If we know that this 400 is coming from addServiceAccountToRoles, can we do this try-catch for the 400 in provisionDefaultComputeServiceAccount.

ideally, the errors should be handled as close as possible to the source. putting it here gives the reader no context, makes maintenance difficult, and could potentially try-catch errors we should not be catching.