Manage IAM Permissions for GCP AI Notebooks

The gcp:notebooks/instanceIamBinding:InstanceIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud AI Notebooks instances by controlling which identities have access to specific roles. This guide focuses on two capabilities: granting roles to multiple members and adding individual members incrementally.

This resource references existing notebook instances and requires project and location identifiers. The examples are intentionally small. Combine them with your own notebook instances and identity management strategy.

Grant a role to multiple members at once

Teams managing notebook access often need to grant the same role to multiple users, service accounts, or groups simultaneously.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.notebooks.InstanceIamBinding("binding", {
    project: instance.project,
    location: instance.location,
    instanceName: instance.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.notebooks.InstanceIamBinding("binding",
    project=instance["project"],
    location=instance["location"],
    instance_name=instance["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/notebooks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := notebooks.NewInstanceIamBinding(ctx, "binding", &notebooks.InstanceIamBindingArgs{
			Project:      pulumi.Any(instance.Project),
			Location:     pulumi.Any(instance.Location),
			InstanceName: pulumi.Any(instance.Name),
			Role:         pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Notebooks.InstanceIamBinding("binding", new()
    {
        Project = instance.Project,
        Location = instance.Location,
        InstanceName = instance.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.notebooks.InstanceIamBinding;
import com.pulumi.gcp.notebooks.InstanceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new InstanceIamBinding("binding", InstanceIamBindingArgs.builder()
            .project(instance.project())
            .location(instance.location())
            .instanceName(instance.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:notebooks:InstanceIamBinding
    properties:
      project: ${instance.project}
      location: ${instance.location}
      instanceName: ${instance.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The role property specifies which permission set to grant (e.g., “roles/viewer”). The members array lists all identities that receive this role; InstanceIamBinding is authoritative for this role, meaning it replaces any existing member list. The instanceName, location, and project properties identify which notebook instance to configure.

Add a single member to a role incrementally

When access needs evolve, teams add individual members to roles without affecting existing grants.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.notebooks.InstanceIamMember("member", {
    project: instance.project,
    location: instance.location,
    instanceName: instance.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.notebooks.InstanceIamMember("member",
    project=instance["project"],
    location=instance["location"],
    instance_name=instance["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/notebooks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := notebooks.NewInstanceIamMember(ctx, "member", &notebooks.InstanceIamMemberArgs{
			Project:      pulumi.Any(instance.Project),
			Location:     pulumi.Any(instance.Location),
			InstanceName: pulumi.Any(instance.Name),
			Role:         pulumi.String("roles/viewer"),
			Member:       pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Notebooks.InstanceIamMember("member", new()
    {
        Project = instance.Project,
        Location = instance.Location,
        InstanceName = instance.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.notebooks.InstanceIamMember;
import com.pulumi.gcp.notebooks.InstanceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new InstanceIamMember("member", InstanceIamMemberArgs.builder()
            .project(instance.project())
            .location(instance.location())
            .instanceName(instance.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:notebooks:InstanceIamMember
    properties:
      project: ${instance.project}
      location: ${instance.location}
      instanceName: ${instance.name}
      role: roles/viewer
      member: user:jane@example.com

The member property (singular) specifies one identity to add. Unlike InstanceIamBinding, InstanceIamMember is non-authoritative: it preserves other members already assigned to the same role. This approach works well when multiple teams manage access independently, as long as they don’t conflict on the same role.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and bulk member assignment vs incremental grants. They’re intentionally minimal rather than full access management solutions.

The examples reference pre-existing infrastructure such as Cloud AI Notebooks instances and GCP projects with configured locations. They focus on configuring IAM bindings rather than provisioning the underlying notebook infrastructure.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Custom role definitions and formatting
Policy-level management (InstanceIamPolicy resource)
Conflict resolution between binding types

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the Notebooks InstanceIamBinding resource reference for all available configuration options.

Let's manage IAM Permissions for GCP AI Notebooks

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between InstanceIamPolicy, InstanceIamBinding, and InstanceIamMember?

InstanceIamPolicy is authoritative and replaces the entire IAM policy. InstanceIamBinding is authoritative for a specific role and manages all members for that role. InstanceIamMember is non-authoritative and adds individual members to a role without affecting other members.

Which IAM resources can I use together?

You cannot use InstanceIamPolicy with InstanceIamBinding or InstanceIamMember as they will conflict. You can use InstanceIamBinding with InstanceIamMember only if they manage different roles.

Why am I seeing policy conflicts between my IAM resources?

Using InstanceIamPolicy alongside InstanceIamBinding or InstanceIamMember causes them to fight over the policy. Similarly, using both InstanceIamBinding and InstanceIamMember for the same role creates conflicts.

Configuration & Identity Management

How many InstanceIamBinding resources can I create for the same role?

Only one InstanceIamBinding can be used per role. To grant a role to multiple members, include them all in the members array of a single binding.

What member identity formats are supported?

Supported formats include allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....

How are location and project determined if I don't specify them?

Both location and project can be parsed from the parent resource identifier. If not provided in the parent identifier, location comes from the provider configuration, and project uses the provider project.

What properties can't be changed after creation?

The following properties are immutable: instanceName, location, project, role, and condition. Changing any of these requires recreating the resource.

Custom Roles & Advanced Usage

What format do custom roles need to use?

Custom roles must use the full format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.

Can I add conditions to IAM bindings?

Yes, you can specify a condition property. Note that conditions are immutable once set.

Import & Migration

What identifier formats can I use when importing?

You can use projects/{{project}}/locations/{{location}}/instances/{{instance_name}}, {{project}}/{{location}}/{{instance_name}}, {{location}}/{{instance_name}}, or just {{instance_name}}. Missing values are taken from the provider configuration.

Using a different cloud?

Explore iam guides for other cloud providers:

AWS Guides Azure Guides