Manage GCP Access Context Manager IAM Bindings

The gcp:accesscontextmanager/accessPolicyIamBinding:AccessPolicyIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Access Context Manager access policies. It controls who can administer VPC Service Controls by granting roles to users, service accounts, and groups. This guide focuses on two capabilities: authoritative role bindings and non-authoritative member grants.

IAM bindings attach to an existing access policy and reference identities in specific formats (user:email, serviceAccount:email, group:email). The examples are intentionally small. Combine them with your own access policy and identity management.

Grant a role to multiple members with binding

Teams managing VPC Service Controls often need to grant the same role to multiple users or service accounts at once. AccessPolicyIamBinding provides authoritative control over who has a specific role while preserving other roles on the policy.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.accesscontextmanager.AccessPolicyIamBinding("binding", {
    name: access_policy.name,
    role: "roles/accesscontextmanager.policyAdmin",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.accesscontextmanager.AccessPolicyIamBinding("binding",
    name=access_policy["name"],
    role="roles/accesscontextmanager.policyAdmin",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/accesscontextmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := accesscontextmanager.NewAccessPolicyIamBinding(ctx, "binding", &accesscontextmanager.AccessPolicyIamBindingArgs{
			Name: pulumi.Any(access_policy.Name),
			Role: pulumi.String("roles/accesscontextmanager.policyAdmin"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.AccessContextManager.AccessPolicyIamBinding("binding", new()
    {
        Name = access_policy.Name,
        Role = "roles/accesscontextmanager.policyAdmin",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyIamBinding;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new AccessPolicyIamBinding("binding", AccessPolicyIamBindingArgs.builder()
            .name(access_policy.name())
            .role("roles/accesscontextmanager.policyAdmin")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:accesscontextmanager:AccessPolicyIamBinding
    properties:
      name: ${["access-policy"].name}
      role: roles/accesscontextmanager.policyAdmin
      members:
        - user:jane@example.com

The binding resource takes complete control of the specified role. The name property references your access policy, role specifies which permission to grant (here, policyAdmin), and members lists all identities that should have this role. If you later remove a member from the list, Pulumi revokes their access. Other roles on the policy remain unchanged.

Add a single member to a role non-authoritatively

When multiple teams manage access to the same policy, non-authoritative member grants prevent conflicts. AccessPolicyIamMember adds one identity to a role without affecting other members.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.accesscontextmanager.AccessPolicyIamMember("member", {
    name: access_policy.name,
    role: "roles/accesscontextmanager.policyAdmin",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.accesscontextmanager.AccessPolicyIamMember("member",
    name=access_policy["name"],
    role="roles/accesscontextmanager.policyAdmin",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/accesscontextmanager"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := accesscontextmanager.NewAccessPolicyIamMember(ctx, "member", &accesscontextmanager.AccessPolicyIamMemberArgs{
			Name:   pulumi.Any(access_policy.Name),
			Role:   pulumi.String("roles/accesscontextmanager.policyAdmin"),
			Member: pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.AccessContextManager.AccessPolicyIamMember("member", new()
    {
        Name = access_policy.Name,
        Role = "roles/accesscontextmanager.policyAdmin",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyIamMember;
import com.pulumi.gcp.accesscontextmanager.AccessPolicyIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new AccessPolicyIamMember("member", AccessPolicyIamMemberArgs.builder()
            .name(access_policy.name())
            .role("roles/accesscontextmanager.policyAdmin")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:accesscontextmanager:AccessPolicyIamMember
    properties:
      name: ${["access-policy"].name}
      role: roles/accesscontextmanager.policyAdmin
      member: user:jane@example.com

The member resource grants access to one identity without claiming ownership of the entire role. Multiple AccessPolicyIamMember resources can target the same role, each adding one identity. This approach works when different Pulumi stacks or teams need to grant access independently. The member property takes a single identity string, while the binding resource’s members property takes an array.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control using binding and member resources. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as an Access Context Manager access policy. They focus on configuring IAM permissions rather than provisioning the underlying policy.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Full policy replacement (AccessPolicyIamPolicy resource)
Custom role configuration
Service account and group identity formats

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the AccessPolicyIamBinding resource reference for all available configuration options.

Let's manage GCP Access Context Manager IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

Can I use multiple IAM resource types together for the same Access Policy?

AccessPolicyIamPolicy cannot be used with AccessPolicyIamBinding or AccessPolicyIamMember as they will conflict over policy state. However, AccessPolicyIamBinding and AccessPolicyIamMember can be used together only if they manage different roles.

Which IAM resource should I use for managing Access Policy permissions?

Choose based on your needs:

AccessPolicyIamPolicy: Authoritative, replaces entire IAM policy
AccessPolicyIamBinding: Authoritative for a specific role, preserves other roles
AccessPolicyIamMember: Non-authoritative, adds individual members while preserving existing ones

Configuration & Roles

How do I specify custom roles for Access Policy IAM bindings?

Custom roles must use the full path format: [projects/my-project|organizations/my-org]/roles/my-custom-role. This is especially important when importing IAM resources.

What properties can't I change after creating an AccessPolicyIamBinding?

The name, role, and condition properties are immutable and cannot be changed after creation.

Member Identities

What member identity formats are supported in AccessPolicyIamBinding?

Supported formats include:

user:{email}: Specific Google account (e.g., alice@gmail.com)
serviceAccount:{email}: Service account (e.g., my-app@appspot.gserviceaccount.com)
group:{email}: Google group (e.g., admins@example.com)
domain:{domain}: G Suite domain (e.g., example.com)
projectOwner/Editor/Viewer:{projectid}: Project-level roles
allUsers: Anyone on the internet
allAuthenticatedUsers: Anyone with a Google account
Federated identities: principal://iam.googleapis.com/...

Can I use only one AccessPolicyIamBinding per role?

Yes, only one AccessPolicyIamBinding can be used per role. If you need to add multiple members to the same role, include them all in the members array of a single binding, or use AccessPolicyIamMember resources instead.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides