Terraform: InvalidArgument desc = Project member is invalid (PROJECT-3m9d)

I've got all of my Terraform set up and working well, but I"m running into an error I can't figure out.

I'm creating a

zitadel_project_role

zitadel_project_role

zitadel_project_role

zitadel_project_role like so, and it's creating the Project Role just fine:

resource "zitadel_project_role" "this" {
  project_id   = var.project_id
  org_id       = var.org_id
  role_key     = "super-user"
  display_name = "Administrator"
}

resource "zitadel_project_role" "this" {
  project_id   = var.project_id
  org_id       = var.org_id
  role_key     = "super-user"
  display_name = "Administrator"
}

resource "zitadel_project_role" "this" {
  project_id   = var.project_id
  org_id       = var.org_id
  role_key     = "super-user"
  display_name = "Administrator"
}

resource "zitadel_project_role" "this" {
  project_id   = var.project_id
  org_id       = var.org_id
  role_key     = "super-user"
  display_name = "Administrator"
}

Then I try to give this role to my user:

resource "zitadel_project_member" "this" {
  for_each = { for k, v in var.users : k => v if length(v.roles.project) > 0 }

  org_id     = var.org_id
  project_id = var.project_id
  roles      = each.value.roles.project
  user_id    = zitadel_human_user.this[each.key].id

  depends_on = [zitadel_project_role.this]
}

resource "zitadel_project_member" "this" {
  for_each = { for k, v in var.users : k => v if length(v.roles.project) > 0 }

  org_id     = var.org_id
  project_id = var.project_id
  roles      = each.value.roles.project
  user_id    = zitadel_human_user.this[each.key].id

  depends_on = [zitadel_project_role.this]
}

resource "zitadel_project_member" "this" {
  for_each = { for k, v in var.users : k => v if length(v.roles.project) > 0 }

  org_id     = var.org_id
  project_id = var.project_id
  roles      = each.value.roles.project
  user_id    = zitadel_human_user.this[each.key].id

  depends_on = [zitadel_project_role.this]
}

resource "zitadel_project_member" "this" {
  for_each = { for k, v in var.users : k => v if length(v.roles.project) > 0 }

  org_id     = var.org_id
  project_id = var.project_id
  roles      = each.value.roles.project
  user_id    = zitadel_human_user.this[each.key].id

  depends_on = [zitadel_project_role.this]
}

(Don't stress over the for_each and values, I've hardcoded them with the same results)

When I put my role into the

roles

roles

roles

roles list, I get the error:

│ Error: failed to update projectmember: rpc error: code = InvalidArgument desc = Project member is invalid (PROJECT-3m9d)

When I go to the Console and perform the same action, it works. If I change the role to a built-in role, like

PROJECT_OWNER

PROJECT_OWNER

PROJECT_OWNER

PROJECT_OWNER, the Terraform works.

I've verified the Org, Project and User ID are correct. I've also verified the role is present in the Console. No matter what I do, I continue to get this error.

Any help is appreciated!

Ask Inkeep•10/6/25, 12:19 PM

Hi @Spanky, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.

Ask Inkeep•10/6/25, 12:20 PM

Answer

The error "Project member is invalid" that you're experiencing is similar to issues documented in the sources questions-help-bugsI try to add a member to a granted project, but I keep getting an error "PROJECT-m9gKK" . The underlying ZITADEL APIs require that roles be provided correctly when adding project members (2) .

Looking at the API documentation, when adding a project member, if no roles are provided the user won't have any rights, so the member definition will be regarded as invalid . The API expects the roles parameter to contain valid role keys .

Based on a GitHub discussion, there was a similar issue where someone was getting invalid project member errors, and the solution was ensuring the correct role key format was being used (3) . In that case, the user needed to verify they were using the exact role key as specified in the project .

Since your Terraform works with built-in roles like

PROJECT_OWNER

PROJECT_OWNER

but fails with your custom role super-usersuper-user, the issue is likely with how the custom role key is being referenced. The role key must match exactly what was created in the project .

I'd recommend:

Double-check that the role key in your
```
roles
```
```
roles
```
list matches exactly the role_keyrole_key value from your
```
zitadel_project_role
```
```
zitadel_project_role
```
resource
Ensure there are no timing issues - the role must exist before the member assignment
Verify the role is actually created successfully in the target project and organization

The sources also indicate that these endpoints have been deprecated and replaced with newer administrator management APIs (4) (2) [(5) ](https://zita

Ask Inkeep•10/6/25, 12:20 PM

del.com/docs/apis/resources/mgmt/management-service-update-project-member) , though this shouldn't affect Terraform usage.

If you continue having issues, I'd suggest clicking the "Ask for help" button to tag a team member for more specific Terraform troubleshooting.

Ask Inkeep•10/6/25, 12:20 PM

To learn more, see the sources I considered:

questions-help-bugsI try to add a member to a granted project, but I keep getting an error "PROJECT-m9gKK"
[2] Add Project Member
[3] Assign project role to user authorization via API
[4] Add Project Grant Member
[5] Update Project Member

Ask Inkeep•10/6/25, 12:20 PM

Feel free to tag @Ask Inkeep with additional questions.

AAsk Inkeep To learn more, see the sources I considered: [[1] I try to add a member to a ...

Ask InkeepAPP•10/6/25, 1:13 PM

Got it. Tagging @Rajat for additional help.

SpankyOP•10/6/25, 1:14 PM

I have already done the things suggested by Inkeep. It is not a timing issue either.

SSpanky I have already done the things suggested by Inkeep. It is not a timing issue eit...

Rajat•10/6/25, 1:15 PM

hey @Spanky I will look into it and will get back to you

SpankyOP•10/6/25, 1:15 PM

Thanks! Meanwhile I'll try some more things

SpankyOP•10/6/25, 1:19 PM

This the Terraform state of the Project Role:

❯ terraform state show module.company_setup_dev.zitadel_project_role.this
# module.company_setup_dev.zitadel_project_role.this:
resource "zitadel_project_role" "this" {
    display_name = "Administrator"
    group        = null
    id           = "340998471756575805_340998472058565693_super-user"
    org_id       = "340998471756575805"
    project_id   = "340998472058565693"
    role_key     = "super-user"
}

❯ terraform state show module.company_setup_dev.zitadel_project_role.this
# module.company_setup_dev.zitadel_project_role.this:
resource "zitadel_project_role" "this" {
    display_name = "Administrator"
    group        = null
    id           = "340998471756575805_340998472058565693_super-user"
    org_id       = "340998471756575805"
    project_id   = "340998472058565693"
    role_key     = "super-user"
}

and this is what Terraform is trying to create:

  # module.company_setup_dev.zitadel_project_member.this["tom"] will be created
  + resource "zitadel_project_member" "this" {
      + id         = (known after apply)
      + org_id     = "340998471756575805"
      + project_id = "340998472058565693"
      + roles      = [
          + "super-user",
        ]
      + user_id    = "341001072912921661"
    }

  # module.company_setup_dev.zitadel_project_member.this["tom"] will be created
  + resource "zitadel_project_member" "this" {
      + id         = (known after apply)
      + org_id     = "340998471756575805"
      + project_id = "340998472058565693"
      + roles      = [
          + "super-user",
        ]
      + user_id    = "341001072912921661"
    }

So you can see that the IDs of things match

SpankyOP•10/6/25, 1:41 PM

I think what's happening here is that this resource is not where you add this role. This resource only takes built-in roles. What I think is needed is a zitadel_user_grantzitadel_user_grant?

SpankyOP•10/6/25, 1:48 PM

Yeah, when I switch the role from mine (super-user) to PROJECT_OWNER, the resource shows up under the User's MEMBERSHIPS and not Authorizations.

SpankyOP•10/6/25, 1:48 PM

Yup. When I add a zitadel_user_grantzitadel_user_grant it works with my super-usersuper-user role and shows up where expected.

SpankyOP•10/6/25, 2:02 PM

Thanks for listening. Hopefully this helps someone else in the future!

Gigi the Giraffe (Zitadel)•10/7/25, 8:39 AM

Looks like you just helped out another community member! Thanks for being so helpful @1158138363161890857! You're now one step closer to leveling up—keep up the amazing peer support!