Search code examples
terraformterraform-provider-gcp

What is the meaning of "authoritative" and "Non-authoritative" for GCP IAM bindings/members


I am trying to understand the difference between google_service_account_iam_binding and google_service_account_iam_member in the GCP terraform provider at https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html.

I understand that google_service_account_iam_binding is for granting a role to a list of members whereas google_service_account_iam_member is for granting a role to a single member, however I'm not clear on what is meant by "Authoritative" and "Non-Authoritative" in these definitions:

google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.

google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Can anyone elaborate for me please?


Solution

  • This link helps a lot.
    Basically it means:
    if a role is bound to a set of IAM identities and you want to add more identities, authoritative one will require you to specify all the old identities again plus the new identies you wanna add otherwise any old identities you didn't specify will be unbinded from the role. It is quite close to the idea of force push in git cause it will overwrite any existing stuff. In our case it is identity.

    Non-authoritative is the opposite: You only need to care the identity you are updating