I went back and checked out the IAM console in GCP, and in there you can only bind a role to a single principal in their equivalent of a role binding, leading me to believe your solution is probably closer to how they do it internally. I would like to update the blog post and credit you for pointing it out, is that ok with you?