Difference between google_project_iam_* and other google_*_iam_* resources

Question

When I replace google_service_account_iam_member here with google_project_iam_member it still works. Which makes me think that google_project_iam_* provides more broad permissions: permissions that target any so to say target, be it a service account or whatever. And it seems like it's best to avoid it if there is a more specific resource. How do I know if there's a more specific resource? To be more specific, the other roles in the gist are:

• roles/compute.osLogin
• roles/compute.osAdminLogin
• roles/iap.tunnelResourceAccessor

But I'd like to understand how do I do this generally. Or maybe I'm missing something?

UPD I just thought that maybe this might be the hint:

Lowest-level resources where you can grant this role: Instance

But with google_compute_instance_iam_member it doesn't seem to work.

Answer 1

Resource google_service_account_iam_member allows you to add members that can be used by the service account that is getting access. In this example, SA is getting the possibility to use default GKE SA :

data "google_compute_default_service_account" "default" {
}

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that Jane can use"
}

# Allow SA service account use the default GCE account
resource "google_service_account_iam_member" "gce-default-account-iam" {
  service_account_id = data.google_compute_default_service_account.default.name
  role               = "roles/iam.serviceAccountUser"
  member             = "serviceAccount:${google_service_account.sa.email}"
}

On the other side the resource google_project_iam_member grants access for identities to all resources in the project. With this example you will grant admin access to all Google Storage Buckets:

resource "google_service_account" "sa" {
      account_id   = "my-service-account"
      display_name = "A service account that Jane can use"
    }

resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/storage.admin"
  member  = "serviceAccount:${google_service_account.sa.email}"
}

The last option that you mentioned in the update is google_compute_*_iam_member which grants access on the resource level. That's why, when you will run this code sample you will grant admin access to only one Google Storage Bucket:

resource "google_service_account" "sa" {
  account_id   = "my-service-account"
  display_name = "A service account that Jane can use"
}

resource "google_storage_bucket" "example" {
  name          = "example"
  location      = "US"
}

resource "google_storage_bucket_iam_member" "member" {
  bucket = google_storage_bucket.example.name
  role = "roles/storage.admin"
  member  = "serviceAccount:${google_service_account.sa.email}"
} 

To follow the least privilege role assignment you should grant access to the specific Google service with the resources google_compute_*_iam_member. You can find these resources in the specific category in the Terraform registry. For example, I am resource for the storage bucket is placed in the Cloud Storage -> Resources -> google_storage_bucket_iam: