Manage GCP Apigee Environment IAM Bindings

The gcp:apigee/environmentIamBinding:EnvironmentIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Apigee environments. This guide focuses on two capabilities: authoritative role binding for multiple members and non-authoritative single member addition.

IAM bindings reference existing Apigee environments by organization and environment identifiers. The examples are intentionally small. Combine them with your own Apigee infrastructure and identity management.

Grant a role to multiple members with binding

Teams managing Apigee environments often need to grant the same role to multiple users or service accounts at once.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.apigee.EnvironmentIamBinding("binding", {
    orgId: apigeeEnvironment.orgId,
    envId: apigeeEnvironment.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.apigee.EnvironmentIamBinding("binding",
    org_id=apigee_environment["orgId"],
    env_id=apigee_environment["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := apigee.NewEnvironmentIamBinding(ctx, "binding", &apigee.EnvironmentIamBindingArgs{
			OrgId: pulumi.Any(apigeeEnvironment.OrgId),
			EnvId: pulumi.Any(apigeeEnvironment.Name),
			Role:  pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Apigee.EnvironmentIamBinding("binding", new()
    {
        OrgId = apigeeEnvironment.OrgId,
        EnvId = apigeeEnvironment.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.apigee.EnvironmentIamBinding;
import com.pulumi.gcp.apigee.EnvironmentIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new EnvironmentIamBinding("binding", EnvironmentIamBindingArgs.builder()
            .orgId(apigeeEnvironment.orgId())
            .envId(apigeeEnvironment.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:apigee:EnvironmentIamBinding
    properties:
      orgId: ${apigeeEnvironment.orgId}
      envId: ${apigeeEnvironment.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The EnvironmentIamBinding resource grants a role to all members in the list authoritatively. If you later update the members array, the binding replaces the previous member list for that role. Other roles on the environment remain unchanged. The orgId identifies the Apigee organization, envId identifies the environment, and members accepts identity strings like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”.

Add a single member to a role non-authoritatively

When you need to grant access to one additional user without affecting existing members, use EnvironmentIamMember.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.apigee.EnvironmentIamMember("member", {
    orgId: apigeeEnvironment.orgId,
    envId: apigeeEnvironment.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.apigee.EnvironmentIamMember("member",
    org_id=apigee_environment["orgId"],
    env_id=apigee_environment["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/apigee"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := apigee.NewEnvironmentIamMember(ctx, "member", &apigee.EnvironmentIamMemberArgs{
			OrgId:  pulumi.Any(apigeeEnvironment.OrgId),
			EnvId:  pulumi.Any(apigeeEnvironment.Name),
			Role:   pulumi.String("roles/viewer"),
			Member: pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Apigee.EnvironmentIamMember("member", new()
    {
        OrgId = apigeeEnvironment.OrgId,
        EnvId = apigeeEnvironment.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.apigee.EnvironmentIamMember;
import com.pulumi.gcp.apigee.EnvironmentIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new EnvironmentIamMember("member", EnvironmentIamMemberArgs.builder()
            .orgId(apigeeEnvironment.orgId())
            .envId(apigeeEnvironment.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:apigee:EnvironmentIamMember
    properties:
      orgId: ${apigeeEnvironment.orgId}
      envId: ${apigeeEnvironment.name}
      role: roles/viewer
      member: user:jane@example.com

The EnvironmentIamMember resource adds a single member to a role without replacing existing members. Multiple EnvironmentIamMember resources can target the same role, each adding one member. This approach works well when different teams manage access for different users. The member property accepts the same identity formats as the members array in bindings.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Apigee environments (orgId and envId references). They focus on configuring IAM bindings rather than provisioning the environments themselves.

To keep things focused, common IAM patterns are omitted, including:

  • Conditional IAM bindings (condition property)
  • Full policy replacement (EnvironmentIamPolicy resource)
  • Custom role definitions and formatting
  • Federated identity and workload identity pool configuration

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the Apigee EnvironmentIamBinding resource reference for all available configuration options.

Let's manage GCP Apigee Environment IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
Which IAM resource should I use for managing Apigee environment permissions?
Choose based on your needs: gcp.apigee.EnvironmentIamPolicy replaces the entire IAM policy (authoritative), gcp.apigee.EnvironmentIamBinding manages all members for a specific role (authoritative per role, preserves other roles), or gcp.apigee.EnvironmentIamMember adds individual members to a role (non-authoritative, preserves other members).
Can I use EnvironmentIamPolicy with EnvironmentIamBinding or EnvironmentIamMember?
No, gcp.apigee.EnvironmentIamPolicy cannot be used with gcp.apigee.EnvironmentIamBinding or gcp.apigee.EnvironmentIamMember as they will conflict over policy state.
Can I use EnvironmentIamBinding with EnvironmentIamMember?
Yes, but only if they manage different roles. Using both resources for the same role causes conflicts.
Configuration & Formats
How do I specify custom roles for Apigee environment IAM?
Custom roles must use the full format [projects|organizations]/{parent-name}/roles/{role-name}, such as projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.
What member identity formats are supported?
Supported formats include allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, domain:{domain}, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, and federated identities like principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com.
Immutability & Updates
What properties can't I change after creating an EnvironmentIamBinding?
The envId, orgId, role, and condition properties are immutable and cannot be changed after creation. Only members can be updated.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides