Instead of assigning multiple roles per Developer, sysadmin and NRO, it might simply administration to define custom roles with all the necessary permissions: https://console.cloud.google.com/iam-admin/roles/create?project=planet-4-151612

Tasks:

• Determine the minimum necessary permissions for each business role
• Create custom IAM roles to describe these permissions for each project (custom role management via Terraform is a good candidate here, though perhaps not in this ticket)
• Update nro-generator init script to suit: https://github.com/greenpeace/planet4-nro-generator/blob/master/bin/init_service_account.sh#L26
• Update the Developers, Sysadmins, NRO service accounts to use newly defined roles