Least privilege for Terraform service accounts - Time & Space Complexity

We want to understand how the number of permission checks and API calls grows when Terraform uses service accounts with least privilege.

How does limiting permissions affect the number of operations Terraform performs?

Analyze the time complexity of Terraform applying permissions with least privilege.

resource "google_project_iam_member" "terraform_sa_role" {
  for_each = toset(var.roles)
  project  = var.project_id
  role     = each.value
  member   = "serviceAccount:${var.terraform_sa_email}"
}

This code assigns specific roles to the Terraform service account for each role it needs.

Identify the API calls, resource provisioning, data transfers that repeat.

• Primary operation: Assigning IAM roles to the service account for each role.
• How many times: Once per role in the input list.

Each role requires a separate permission assignment, so the number of API calls grows directly with the number of roles.

Input Size (n)	Approx. Api Calls/Operations
10	10
100	100
1000	1000

Pattern observation: The operations increase one-to-one with the number of roles.

Time Complexity: O(n)

This means the number of permission assignments grows directly with the number of roles assigned.

[X] Wrong: "Assigning one broad role once is faster and simpler than many specific roles."

[OK] Correct: While fewer assignments happen, broad roles can cause security risks and may trigger more permission checks during operations, increasing hidden costs.

Understanding how permission assignments scale helps you design secure and efficient infrastructure automation, a valuable skill in cloud roles.

"What if we grouped resources to share roles instead of assigning per resource? How would the time complexity change?"