https://pulumi.com logo
b

bored-car-38257

04/13/2021, 2:39 PM
Hi All , Can some one explain the difference between
gcp.projects.IAM*
&
gcp.serviceAccount.IAM*
. How and when to use these two ?
g

green-school-95910

04/13/2021, 10:24 PM
Project level
IAM*
applies to every resource on the project. So if you give the base
viewer
role at that level to a user, the user would be able to see everything in the project
serviceAccount.IAM*
or the
IAM*
under any other resource applies to only one of that particular resource. If you give the same role to a user but using the
serviceAccount.IAM*
resources, you'd need to specify a service account and the user would only be able to see that service account and no other resource in the project
1
What might be confusing is that
serviceAccount.IAM*
are used to give permissions regarding a particular service account, not necessarily to a service account (although it can be)
1
b

bored-car-38257

04/14/2021, 3:55 PM
@green-school-95910 - thanks a lot for your insight … 👌🏽