terraform-provider-google/website/docs/r/google_project_iam.html.markdown

---
layout: "google"
page_title: "Google: google_project_iam"
sidebar_current: "docs-google-project-iam-x"
description: |-
 Collection of resources to manage IAM policy for a project.
---

# IAM policy for projects

Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:

* `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
* `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
* `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.

~> **Note:** `google_project_iam_policy` **cannot** be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be.

~> **Note:** `google_project_iam_binding` resources **can be** used in conjunction with `google_project_iam_member` resources **only if** they do not grant privilege to the same role.

## google\_project\_iam\_policy

~> **Be careful!** You can accidentally lock yourself out of your project
   using this resource. Deleting a `google_project_iam_policy` removes access
   from anyone without organization-level access to the project. Proceed with caution.
   It's not recommended to use `google_project_iam_policy` with your provider project
   to avoid locking yourself out, and it should generally only be used with projects
   fully managed by Terraform.

```hcl
resource "google_project_iam_policy" "project" {
  project     = "your-project-id"
  policy_data = "${data.google_iam_policy.admin.policy_data}"
}

data "google_iam_policy" "admin" {
  binding {
    role = "roles/editor"

    members = [
      "user:jane@example.com",
    ]
  }
}
```

## google\_project\_iam\_binding

~> **Note:** If `role` is set to `roles/owner` and you don't specify a user or service account you have access to in `members`, you can lock yourself out of your project.

```hcl
resource "google_project_iam_binding" "project" {
  project = "your-project-id"
  role    = "roles/editor"

  members = [
    "user:jane@example.com",
  ]
}
```

## google\_project\_iam\_member

```hcl
resource "google_project_iam_member" "project" {
  project = "your-project-id"
  role    = "roles/editor"
  member  = "user:jane@example.com"
}
```

## Argument Reference

The following arguments are supported:

* `member/members` - (Required) Identities that will be granted the privilege in `role`.
  Each entry can have one of the following values:
  * **user:{emailid}**: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.
  * **serviceAccount:{emailid}**: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.
  * **group:{emailid}**: An email address that represents a Google group. For example, admins@example.com.
  * **domain:{domain}**: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.

* `role` - (Required) The role that should be applied. Only one
    `google_project_iam_binding` can be used per role. Note that custom roles must be of the format
    `[projects|organizations]/{parent-name}/roles/{role-name}`.

* `policy_data` - (Required only by `google_project_iam_policy`) The `google_iam_policy` data source that represents
    the IAM policy that will be applied to the project. The policy will be
    merged with any existing policy applied to the project.

    Changing this updates the policy.

    Deleting this removes all policies from the project, locking out users without
    organization-level access.

* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`
or `google_project_iam_member`, uses the ID of the project configured with the provider.
Required for `google_project_iam_policy` - you must explicitly set the project, and it
will not be inferred from the provider.
    
## Attributes Reference

In addition to the arguments listed above, the following computed attributes are
exported:

* `etag` - (Computed) The etag of the project's IAM policy.


## Import

IAM member imports use space-delimited identifiers; the resource in question, the role, and the account.  This member resource can be imported using the `project_id`, role, and member e.g.

```
$ terraform import google_project_iam_member.my_project "your-project-id roles/viewer user:user:foo@example.com"
```

IAM binding imports use space-delimited identifiers; the resource in question and the role.  This binding resource can be imported using the `project_id` and role, e.g.

```
terraform import google_project_iam_binding.my_project "your-project-id roles/viewer"
```

IAM policy imports use the identifier of the resource in question.  This policy resource can be imported using the `project_id`.

```
$ terraform import google_project_iam_policy.my_project your-project-id
```
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00			`---`
			`layout: "google"`
			`page_title: "Google: google_project_iam"`
			`sidebar_current: "docs-google-project-iam-x"`
			`description: \|-`
			`Collection of resources to manage IAM policy for a project.`
			`---`

			`# IAM policy for projects`

			`Three different resources help you manage your IAM policy for a project. Each of these resources serves a different use case:`

			* `google_project_iam_policy`: Authoritative. Sets the IAM policy for the project and replaces any existing policy already attached.
			* `google_project_iam_binding`: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the project are preserved.
			* `google_project_iam_member`: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the project are preserved.

			~> Note: `google_project_iam_policy` cannot be used in conjunction with `google_project_iam_binding` and `google_project_iam_member` or they will fight over what your policy should be.

			~> Note: `google_project_iam_binding` resources can be used in conjunction with `google_project_iam_member` resources only if they do not grant privilege to the same role.

			`## google\_project\_iam\_policy`

			`~> Be careful! You can accidentally lock yourself out of your project`
Make google_project_iam_policy authoritative. (#2315) <!-- This change is generated by MagicModules. --> /cc @rileykarson 2018-10-30 20:39:07 +00:00			using this resource. Deleting a `google_project_iam_policy` removes access
			`from anyone without organization-level access to the project. Proceed with caution.`
			It's not recommended to use `google_project_iam_policy` with your provider project
			`to avoid locking yourself out, and it should generally only be used with projects`
			`fully managed by Terraform.`
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00
			```hcl
			`resource "google_project_iam_policy" "project" {`
			`project = "your-project-id"`
			`policy_data = "${data.google_iam_policy.admin.policy_data}"`
			`}`

			`data "google_iam_policy" "admin" {`
			`binding {`
			`role = "roles/editor"`

			`members = [`
			`"user:jane@example.com",`
			`]`
			`}`
			`}`
			```

			`## google\_project\_iam\_binding`

Add warning to google_project_iam_binding. Call out that it's possible to lock yourself out using `google_project_iam_binding`. 2018-07-06 11:40:50 +00:00			~> Note: If `role` is set to `roles/owner` and you don't specify a user or service account you have access to in `members`, you can lock yourself out of your project.

consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00			```hcl
			`resource "google_project_iam_binding" "project" {`
			`project = "your-project-id"`
			`role = "roles/editor"`

			`members = [`
			`"user:jane@example.com",`
			`]`
			`}`
			```

			`## google\_project\_iam\_member`

			```hcl
			`resource "google_project_iam_member" "project" {`
			`project = "your-project-id"`
			`role = "roles/editor"`
			`member = "user:jane@example.com"`
			`}`
			```

			`## Argument Reference`

			`The following arguments are supported:`

			* `member/members` - (Required) Identities that will be granted the privilege in `role`.
			`Each entry can have one of the following values:`
			`* user:{emailid}: An email address that represents a specific Google account. For example, alice@gmail.com or joe@example.com.`
			`* serviceAccount:{emailid}: An email address that represents a service account. For example, my-other-app@appspot.gserviceaccount.com.`
			`* group:{emailid}: An email address that represents a Google group. For example, admins@example.com.`
Replace "Google Apps domain" with "G Suite domain" Google Apps is a former name. Also, I mention primary domain and domain alias. It seems I have to use the primary domain. Otherwise, GCP replaces the field to the primary one. And every time Terraform plan returns a diff about it. I used domain alias for `members` arg in `google_project_iam_member` resource. `terraform apply` was succeeded. However, when I run modify other resources, I got a diff about the `google_project_iam_member` resource. 2018-09-22 11:51:42 +00:00			`* domain:{domain}: A G Suite domain (primary, instead of alias) name that represents all the users of that domain. For example, google.com or example.com.`
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00
			* `role` - (Required) The role that should be applied. Only one
			`google_project_iam_binding` can be used per role. Note that custom roles must be of the format
			`[projects\|organizations]/{parent-name}/roles/{role-name}`.

			* `policy_data` - (Required only by `google_project_iam_policy`) The `google_iam_policy` data source that represents
			`the IAM policy that will be applied to the project. The policy will be`
			`merged with any existing policy applied to the project.`

			`Changing this updates the policy.`

Make google_project_iam_policy authoritative. (#2315) <!-- This change is generated by MagicModules. --> /cc @rileykarson 2018-10-30 20:39:07 +00:00			`Deleting this removes all policies from the project, locking out users without`
			`organization-level access.`

			* `project` - (Optional) The project ID. If not specified for `google_project_iam_binding`
			or `google_project_iam_member`, uses the ID of the project configured with the provider.
			Required for `google_project_iam_policy` - you must explicitly set the project, and it
			`will not be inferred from the provider.`
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00
			`## Attributes Reference`

			`In addition to the arguments listed above, the following computed attributes are`
			`exported:`

			* `etag` - (Computed) The etag of the project's IAM policy.


			`## Import`

Fix documentation around iam member imports (#2865) Signed-off-by: Modular Magician <magic-modules@google.com> 2019-01-12 01:23:56 +00:00			IAM member imports use space-delimited identifiers; the resource in question, the role, and the account. This member resource can be imported using the `project_id`, role, and member e.g.
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00
			```
Fix documentation around iam member imports (#2865) Signed-off-by: Modular Magician <magic-modules@google.com> 2019-01-12 01:23:56 +00:00			`$ terraform import google_project_iam_member.my_project "your-project-id roles/viewer user:user:foo@example.com"`
			```

			IAM binding imports use space-delimited identifiers; the resource in question and the role. This binding resource can be imported using the `project_id` and role, e.g.

			```
			`terraform import google_project_iam_binding.my_project "your-project-id roles/viewer"`
			```
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00
Fix documentation around iam member imports (#2865) Signed-off-by: Modular Magician <magic-modules@google.com> 2019-01-12 01:23:56 +00:00			IAM policy imports use the identifier of the resource in question. This policy resource can be imported using the `project_id`.
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00
Fix documentation around iam member imports (#2865) Signed-off-by: Modular Magician <magic-modules@google.com> 2019-01-12 01:23:56 +00:00			```
			`$ terraform import google_project_iam_policy.my_project your-project-id`
consolidate iam docs, add a bit more for service account (#1227) 2018-03-21 00:06:54 +00:00			```