No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi All ,
Can some one explain the difference between `gcp.projects.IAM*`  &amp; `gcp.serviceAccount.IAM*` . How and when to use these two ?

Project level `IAM*` applies to every resource on the project. So if you give the base `viewer` role at that level to a user, the user would be able to see everything in the project

`serviceAccount.IAM*` or the `IAM*` under any other resource applies to only one of that particular resource. If you give the same role to a user but using the `serviceAccount.IAM*` resources, you'd need to specify a service account and the user would only be able to see that service account and no other resource in the project

What might be confusing is that `serviceAccount.IAM*` are used to give permissions _regarding a particular service account_, not necessarily to a service account (although it can be)

<@USC68LB3J> - thanks a lot for your insight … :ok_hand::skin-tone-4: