IAM modeling(https://authzed.com/blog/google-cloud-iam-modeling) is a good write-up to understand user-defined roles but one thing I am a little puzzled is how I can introduce machine users/api key kind of entity in this. I guess

apikey {}

would be a different entity like

user {}

? If it is, should we support everywhere

apikey{}

as well where the user was checked? Like in role we will do

user:* | apikey:*

and in binding

apikey & role->somerel

? Or there is a better alternate?