No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Here is the result of `gcloud projects get-iam-policy &lt;project&gt;` after running env=staging then env=prod
```- members:
  - serviceAccount:external-dns-prod@&lt;projec&gt;.<http://iam.gserviceaccount.com|iam.gserviceaccount.com>
  role: roles/dns.admin```

AFAIR, you should use `IAMMember` in such case

the difference is:
&gt; • `gcp.projects.IAMBinding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
&gt; • `gcp.projects.IAMMember`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.


<https://www.pulumi.com/registry/packages/gcp/api-docs/projects/iammember/>

try:
```new gcp.projects.IAMMember("external-dns-dns-admin-rb", {
  project: project,
  role: "roles/dns.admin",
  member: externalDnsGCPServiceAccount.email.apply((s) =&gt; `serviceAccount:${s}`),
});```

keep in mind the note provided in the docs as well:
&gt; Note: `gcp.projects.IAMBinding` resources can be used in conjunction with `gcp.projects.IAMMember` resources only if they do not grant privilege to the same role.

Yep everything works as intended now. Thanks for the assistance.