Difference between google_project_iam_binding and google_project_iam_member

Question

Hi terraform mates out there

I want to automate the role assignments process for service accounts and users on the Google Cloud Platform. I am actually thinking of creating IAM custom roles to get fine-grained roles terraform resources for different services, and assign that role to the users or service account I want to.

Checking the way to associate which members will get what roles, I am actually wondering what is the difference between use google_project_iam_binding and use google_project_iam_member resources.

My current understanding could fall on in using google_project_iam_binding to grant roles to service accounts and google_project_iam_member to user accounts, but I am not sure since in the documentation they use both to associate user accounts.

I also found this interesting article https://binx.io/nl/2021/12/16/how-to-name-your-google-project-iam-resources-in-terraform/

As you know, Google IAM resources in Terraform come in three flavors:

• google_project_iam_policy to define a complete policy for the project.
• google_project_iam_binding to define all the members of a single role.
• google_project_iam_member to define a single role binding for a single principal.

I didn't know the previous sentence and I would like to deep dive in the way I can use policies, and IAM roles in a better way for my purpose.

Answer 1

As the documentation states:

• google_project_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
• google_project_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.

This means that google_project_iam_binding will grant a role to a list of members, and revokes it from any other member.

So if your project had two users e.g: [email protected] and [email protected] who both have roles/editor on the project. Running the following Terraform snippet will revoke roles/editor from [email protected] as it's not present in the member list of google_project_iam_binding

resource "google_project_iam_binding" "project" {
  project = "your-project-id"
  role    = "roles/editor"

  members = [
    "user:[email protected]",
  ]
}

However, if you have for example [email protected] and [email protected] who both have roles/editor on the project. If you want to add a new editor ([email protected]) without affecting the other roles/users, you can use google_project_iam_member

resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "user:[email protected]"
}

---

Notes from the documentation:

google_project_iam_policy cannot be used in conjunction with google_project_iam_binding, google_project_iam_member, or google_project_iam_audit_config or they will fight over what your policy should be.

google_project_iam_binding resources can be used in conjunction with google_project_iam_member resources only if they do not grant privilege to the same role.

See:

• Terraform google_project_iam_binding deletes GCP compute engine default service account from IAM principals
• https://discuss.hashicorp.com/t/difference-between-google-project-iam-binding-and-google-project-iam-member/49645/2
• https://github.com/hashicorp/terraform-provider-google/issues/8354