Collection of resources to manage IAM policy for a project.
---
# IAM policy for projects
Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:
*`google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
*`google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
*`google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.
~> **Note:**`google_project_iam_policy`**cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be.
~> **Note:**`google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role.
## google\_project\_iam\_policy
~> **Be careful!** You can accidentally lock yourself out of your project
~> **Note:** If `role` is set to `roles/owner` and you don't specify a user or service account you have access to in `members`, you can lock yourself out of your project.
* **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.
IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the `project_id`, role, and member e.g.
IAM binding imports use space-delimited identifiers; the resource in question and the role. This binding resource can be imported using the `project_id` and role, e.g.