What is the meaning of "authoritative" and "authoritative" for GCP IAM bindings/members

11
votes

I am trying to understand the difference between google_service_account_iam_binding and google_service_account_iam_member in the GCP terraform provider at https://www.terraform.io/docs/providers/google/r/google_service_account_iam.html.

I understand that google_service_account_iam_binding is for granting a role to a list of members whereas google_service_account_iam_member is for granting a role to a single member, however I'm not clear on what is meant by "Authoritative" and "Non-Authoritative" in these definitions:

google_service_account_iam_binding: Authoritative for a given role. Updates the IAM policy to grant a role to a list of members. Other roles within the IAM policy for the service account are preserved.

google_service_account_iam_member: Non-authoritative. Updates the IAM policy to grant a role to a new member. Other members for the role for the service account are preserved.

Can anyone elaborate for me please?

2
terraformterraform-provider-gcp

2 Answers

11
votes

"Authoritative" means to change all related privileges, on the other hand, "non-authoritative" means not to change related privileges, only to change ones you specified.

Otherwise, you can interpret authoritative as the single source of truth, and non-authoritative as a piece of truth.

1
votes

This link helps a lot. Basically it means, if a role is bound to a set of IAM identities and you want to add one more identity, authoritative one will require you to specify all the old identities again otherwise old identities will be removed from the role. Non-authoritative is the opposite.