Login/Register
Difference between google_project_iam_binding and google_project_iam_member
Asked Answered
Solved terraform-provider-gcpgoogle-iam
P

1

8

Hi terraform mates out there

I want to automate the role assignments process for service accounts and users on the Google Cloud Platform. I am actually thinking of creating IAM custom roles to get fine-grained roles terraform resources for different services, and assign that role to the users or service account I want to.

Checking the way to associate which members will get what roles, I am actually wondering what is the difference between use google_project_iam_binding and use google_project_iam_member resources.

My current understanding could fall on in using google_project_iam_binding to grant roles to service accounts and google_project_iam_member to user accounts, but I am not sure since in the documentation they use both to associate user accounts.

I also found this interesting article https://binx.io/nl/2021/12/16/how-to-name-your-google-project-iam-resources-in-terraform/

As you know, Google IAM resources in Terraform come in three flavors:

I didn't know the previous sentence and I would like to deep dive in the way I can use policies, and IAM roles in a better way for my purpose.

Pam answered 2/2, 2023 at 11:38 Comment(0)
P
16

As the documentation states:

  • google_project_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
  • google_project_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.

This means that google_project_iam_binding will grant a role to a list of members, and revokes it from any other member.

So if your project had two users e.g: [email protected] and [email protected] who both have roles/editor on the project. Running the following Terraform snippet will revoke roles/editor from [email protected] as it's not present in the member list of google_project_iam_binding

resource "google_project_iam_binding" "project" {
  project = "your-project-id"
  role    = "roles/editor"

  members = [
    "user:[email protected]",
  ]
}

However, if you have for example [email protected] and [email protected] who both have roles/editor on the project. If you want to add a new editor ([email protected]) without affecting the other roles/users, you can use google_project_iam_member

resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "user:[email protected]"
}

Notes from the documentation:

google_project_iam_policy cannot be used in conjunction with google_project_iam_binding, google_project_iam_member, or google_project_iam_audit_config or they will fight over what your policy should be.

google_project_iam_binding resources can be used in conjunction with google_project_iam_member resources only if they do not grant privilege to the same role.

See:

Piacular answered 9/2, 2023 at 0:39 Comment(4)
So is the conclusion here iam_member means adding just one person and iam_binding means adding a list of people?Took
no, iam_binding will grant a role to a list of member, and revokes it from any other member. And iam_member adds one, or a list of members: registry.terraform.io/providers/hashicorp/google/latest/docs/…Piacular
Wow! Your explanation is so much better than the documentation. Thanks! :)Dehiscent
I was really close to breaking stuff until I read this explanation.Kraken

© 2022 - 2025 — McMap. All rights reserved.