Support for member-specific authoritative IAM policy management

[mike-code]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
• Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.
• If an issue is assigned to a user, that user is claiming responsibility for the issue.
• Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Description

It would be beneficial to have authoritative IAM member binding for a given member (not just a role). That way, as a terraform admin, I can make sure that particular IAM member does not have excess roles assigned to it. Otherwise I need workarounds to ensure that Alice has only the roles that are defined in terraform provider and that no other roles have been assigned e.g. via cloud console.

New or Affected Resource(s)

• google_service_account_iam_member_binding

Potential Terraform Configuration

No response

References

No response

[BBBmau]

From Triage: We would want to include this in every IAM resource.