Terraform GCP service_account vs project vs org

Question

i am picking up terraform for GCP and i came across these three resources:

1. google_service_account_iam_member
2. google_project_iam_member
3. google_organization_iam_member

They sound very similar to each other but certainly with some key differences.

I went through their docs but their differences were not absolutely clear to me. Is there any easy way to illustrate the difference between these?

Thanks

Answer 1

Within GCP, there is a hierarchy: Organization, Project, Resource

The IAM policies you mentioned behaves the same; however, works on different levels based on the hierarchy.

For example, the google_project_iam_member will update the IAM policy to grant a role to a new member on the project level.

The google_organization_iam_member will do the same thing, but on the Organization level (which is a level higher than the project).

Update:

The google_service_account_iam_member will work on every level depending on what you would like the service account to do. You can either have the service account act as an identity or just have it run a certain resouce. A service account can be added on all three levels.