Terraform GCP service_account vs project vs org

Question

i am picking up terraform for GCP and i came across these three resources:

1. google_service_account_iam_member
2. google_project_iam_member
3. google_organization_iam_member

They sound very similar to each other but certainly with some key differences.

I went through their docs but their differences were not absolutely clear to me. Is there any easy way to illustrate the difference between these?

Thanks

Answer 1

As described before the google_project_iam_member and google_organization_iam_member, are used to manager IAM permission in the project or organization level. You can also manage permission on the folder level.

When, IAM is granted on the org level all folders and projects inherit that permission. When granted in the folder, alll projects and sub folders under that folder will inherit that permission.

Permissions can also be managed at resource level, the google_service_account_iam_member allow to grant permission to manage the service account and use the service account in the service account level. That helpful when you want to grant more restricted permissions and grant access to a single service account instead of all service accounts from the project.

Thanks, Eduardo Ruela

Answer 2

Within GCP, there is a hierarchy: Organization, Project, Resource

The IAM policies you mentioned behaves the same; however, works on different levels based on the hierarchy.

For example, the google_project_iam_member will update the IAM policy to grant a role to a new member on the project level.

The google_organization_iam_member will do the same thing, but on the Organization level (which is a level higher than the project).

Update:

The google_service_account_iam_member will work on every level depending on what you would like the service account to do. You can either have the service account act as an identity or just have it run a certain resouce. A service account can be added on all three levels.