The question in point regards to the google_cloud_composer_environment creates an service account. I’m testing if possible, of importing or iam_binding service account to create the configuration without using a default GCP SA. In my pipeline when I do a pull request, cloud build uses it’s default service account to build TF configuration. I’m seeing if possible if I could hard code an alternative service account (SA) to be either imported or bind with custom roles to have least privilege.