Hi, I have a use case which requires different ser...
# google-cloud
Hi, I have a use case which requires different serviceaccounts for different environments and I need to apply permissions to those service accounts. The issue is that when I apply a binding, it overwrites the bindings for the other environment. Is there a way to only add without overwriting current bindings? For example this is how I am currently doing it.
Copy code
const externalDnsGCPServiceAccount = new gcpNative.iam.v1.ServiceAccount(
    accountId: `external-dns-${environment}`,

new gcp.projects.IAMBinding("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  members: [
    externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
Here is the result of
gcloud projects get-iam-policy <project>
after running env=staging then env=prod
Copy code
- members:
  - serviceAccount:external-dns-prod@<projec>.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
  role: roles/dns.admin
AFAIR, you should use
in such case
the difference is:
• `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
• `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
Thank you
Copy code
new gcp.projects.IAMMember("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  member: externalDnsGCPServiceAccount.email.apply((s) => `serviceAccount:${s}`),
keep in mind the note provided in the docs as well:
resources can be used in conjunction with
resources only if they do not grant privilege to the same role.
Yep everything works as intended now. Thanks for the assistance.
🙌 1