The gcp:apigateway/apiConfigIamMember:ApiConfigIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for API Gateway API configurations. This guide focuses on three approaches: single-member grants with ApiConfigIamMember, multi-member role management with ApiConfigIamBinding, and complete policy replacement with ApiConfigIamPolicy.
These resources reference existing API Gateway API and ApiConfig resources. ApiConfigIamPolicy cannot be used alongside ApiConfigIamBinding or ApiConfigIamMember, as they conflict over policy ownership. ApiConfigIamBinding and ApiConfigIamMember can coexist only when managing different roles. The examples are intentionally small. Combine them with your own API Gateway infrastructure and identity management strategy.
Grant a single user access to an API config
Most IAM configurations add individual users or service accounts to specific roles without disrupting existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.apigateway.ApiConfigIamMember("member", {
api: apiCfg.api,
apiConfig: apiCfg.apiConfigId,
role: "roles/apigateway.viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.apigateway.ApiConfigIamMember("member",
api=api_cfg["api"],
api_config=api_cfg["apiConfigId"],
role="roles/apigateway.viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigateway"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apigateway.NewApiConfigIamMember(ctx, "member", &apigateway.ApiConfigIamMemberArgs{
Api: pulumi.Any(apiCfg.Api),
ApiConfig: pulumi.Any(apiCfg.ApiConfigId),
Role: pulumi.String("roles/apigateway.viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.ApiGateway.ApiConfigIamMember("member", new()
{
Api = apiCfg.Api,
ApiConfig = apiCfg.ApiConfigId,
Role = "roles/apigateway.viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.apigateway.ApiConfigIamMember;
import com.pulumi.gcp.apigateway.ApiConfigIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new ApiConfigIamMember("member", ApiConfigIamMemberArgs.builder()
.api(apiCfg.api())
.apiConfig(apiCfg.apiConfigId())
.role("roles/apigateway.viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:apigateway:ApiConfigIamMember
properties:
api: ${apiCfg.api}
apiConfig: ${apiCfg.apiConfigId}
role: roles/apigateway.viewer
member: user:jane@example.com
The member property specifies one identity in the format “user:email”, “serviceAccount:email”, “group:email”, or other supported formats. The role property defines the permission level, such as “roles/apigateway.viewer”. ApiConfigIamMember is non-authoritative: it adds this member to the role while preserving other members and roles on the API config.
Grant multiple members the same role
When several identities need identical permissions, ApiConfigIamBinding manages the complete member list for one role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.apigateway.ApiConfigIamBinding("binding", {
api: apiCfg.api,
apiConfig: apiCfg.apiConfigId,
role: "roles/apigateway.viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.apigateway.ApiConfigIamBinding("binding",
api=api_cfg["api"],
api_config=api_cfg["apiConfigId"],
role="roles/apigateway.viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigateway"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := apigateway.NewApiConfigIamBinding(ctx, "binding", &apigateway.ApiConfigIamBindingArgs{
Api: pulumi.Any(apiCfg.Api),
ApiConfig: pulumi.Any(apiCfg.ApiConfigId),
Role: pulumi.String("roles/apigateway.viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.ApiGateway.ApiConfigIamBinding("binding", new()
{
Api = apiCfg.Api,
ApiConfig = apiCfg.ApiConfigId,
Role = "roles/apigateway.viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.apigateway.ApiConfigIamBinding;
import com.pulumi.gcp.apigateway.ApiConfigIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new ApiConfigIamBinding("binding", ApiConfigIamBindingArgs.builder()
.api(apiCfg.api())
.apiConfig(apiCfg.apiConfigId())
.role("roles/apigateway.viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:apigateway:ApiConfigIamBinding
properties:
api: ${apiCfg.api}
apiConfig: ${apiCfg.apiConfigId}
role: roles/apigateway.viewer
members:
- user:jane@example.com
The members property takes an array of identities, all receiving the specified role. ApiConfigIamBinding is authoritative for its role: it replaces the member list for “roles/apigateway.viewer” but leaves other roles untouched. Use this when you want to define all members for a role in one place.
Replace the entire IAM policy
ApiConfigIamPolicy sets every role and member binding for an API config, replacing the existing policy completely.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/apigateway.viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.apigateway.ApiConfigIamPolicy("policy", {
api: apiCfg.api,
apiConfig: apiCfg.apiConfigId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/apigateway.viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.apigateway.ApiConfigIamPolicy("policy",
api=api_cfg["api"],
api_config=api_cfg["apiConfigId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigateway"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/apigateway.viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = apigateway.NewApiConfigIamPolicy(ctx, "policy", &apigateway.ApiConfigIamPolicyArgs{
Api: pulumi.Any(apiCfg.Api),
ApiConfig: pulumi.Any(apiCfg.ApiConfigId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/apigateway.viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.ApiGateway.ApiConfigIamPolicy("policy", new()
{
Api = apiCfg.Api,
ApiConfig = apiCfg.ApiConfigId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.apigateway.ApiConfigIamPolicy;
import com.pulumi.gcp.apigateway.ApiConfigIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/apigateway.viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new ApiConfigIamPolicy("policy", ApiConfigIamPolicyArgs.builder()
.api(apiCfg.api())
.apiConfig(apiCfg.apiConfigId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:apigateway:ApiConfigIamPolicy
properties:
api: ${apiCfg.api}
apiConfig: ${apiCfg.apiConfigId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/apigateway.viewer
members:
- user:jane@example.com
The policyData property comes from the getIAMPolicy data source, which constructs a complete policy document from bindings. This resource is fully authoritative: it removes any bindings not included in policyData. ApiConfigIamPolicy cannot coexist with ApiConfigIamBinding or ApiConfigIamMember, as they would conflict over policy ownership.
Beyond these examples
These snippets focus on specific IAM management patterns: single-member grants, role-level member lists, and complete policy replacement. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as API Gateway API and ApiConfig resources, and a GCP project with API Gateway enabled. They focus on configuring IAM bindings rather than provisioning the underlying API Gateway resources.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Cross-project IAM grants
- Service account creation and management
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the ApiConfigIamMember resource reference for all available configuration options.
Let's manage GCP API Gateway IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.apigateway.ApiConfigIamPolicy cannot be used with gcp.apigateway.ApiConfigIamBinding or gcp.apigateway.ApiConfigIamMember because they will conflict over policy control. Use either the Policy resource alone (for full authoritative control) or use Binding/Member resources (for incremental changes).gcp.apigateway.ApiConfigIamPolicy for full policy control (replaces entire policy), gcp.apigateway.ApiConfigIamBinding for managing all members of a specific role (authoritative per role), or gcp.apigateway.ApiConfigIamMember for adding individual members without affecting others (non-authoritative).Configuration & Formats
[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.member property supports multiple formats: allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities like principal://iam.googleapis.com/....gcp.apigateway.ApiConfigIamMember with the member property set to the user identity (e.g., user:jane@example.com). This is non-authoritative and preserves other members for the role.Resource Management
api, apiConfig, member, project, role, condition) are immutable and cannot be changed after creation. You must recreate the resource to change these values.projects/{{project}}/locations/global/apis/{{api}}/configs/{{api_config}}, {{project}}/{{api}}/{{api_config}}, {{api}}/{{api_config}}, or just {{api_config}}. Variables not provided in the import command are taken from the provider configuration.