如何通过terraform创建带有服务帐户的谷歌云pubsub订阅

从这个文档中，我想通过terraform创建同样的东西。

https://cloud.google.com/run/docs/tutorials/pubsub

gcloud pubsub subscriptions create myRunSubscription --topic myRunTopic 
--push-endpoint=SERVICE-URL/ 
--push-auth-service-account=cloud-run-pubsub-invoker@PROJECT_ID.iam.gserviceaccount.com

地形的主.tf

resource "google_pubsub_subscription" "my_task" {
name  = "my-task-subscription"
topic = google_pubsub_topic.my_task.name
ack_deadline_seconds = 20
push_config {
push_endpoint = var.push_endpoint
}
dead_letter_policy {
dead_letter_topic = "cloud-run-pubsub-invoker@my-project.iam.gserviceaccount.com"
}
}

地形应用

# module.pubsub.google_pubsub_subscription.my_task will be created
+ resource "google_pubsub_subscription" "my_task" {
+ ack_deadline_seconds       = 20
+ id                         = (known after apply)
+ message_retention_duration = "604800s"
+ name                       = "my-task-subscription"
+ path                       = (known after apply)
+ project                    = (known after apply)
+ topic                      = "MyTask"
+ dead_letter_policy {
+ dead_letter_topic = "cloud-run-pubsub-invoker@my-project.iam.gserviceaccount.com"
}
+ expiration_policy {
+ ttl = (known after apply)
}
+ push_config {
+ push_endpoint = "https://an-endpoint.com"
}
}

收到错误：

Error: Error creating Subscription: googleapi: Error 400: Invalid resource name given (name=cloud-run-pubsub-invoker@my-project.iam.gserviceaccount.com). Refer to https://cloud.google.com/pubsub/docs/admin#resource_names for more information.

从地形图的文档来看，dead_letter_policy与Pub/Sub服务帐户相关：https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription#dead_letter_policy

但为什么它不起作用？那么如何将--push-auth-service-account设置为谷歌官方呢？