The gcp:compute/backendBucketIamBinding:BackendBucketIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for backend buckets. It grants a specific role to a list of members while preserving other roles on the same backend bucket. This guide focuses on two capabilities: authoritative role assignment to multiple members and non-authoritative single-member additions.
IAM bindings reference existing backend buckets and operate within GCP projects. The examples are intentionally small. Combine them with your own backend bucket infrastructure and identity management workflows.
Grant a role to multiple members at once
When multiple users or service accounts need the same level of access, BackendBucketIamBinding assigns a role to all members in a single resource.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.BackendBucketIamBinding("binding", {
project: imageBackend.project,
name: imageBackend.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.BackendBucketIamBinding("binding",
project=image_backend["project"],
name=image_backend["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewBackendBucketIamBinding(ctx, "binding", &compute.BackendBucketIamBindingArgs{
Project: pulumi.Any(imageBackend.Project),
Name: pulumi.Any(imageBackend.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.BackendBucketIamBinding("binding", new()
{
Project = imageBackend.Project,
Name = imageBackend.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.BackendBucketIamBinding;
import com.pulumi.gcp.compute.BackendBucketIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new BackendBucketIamBinding("binding", BackendBucketIamBindingArgs.builder()
.project(imageBackend.project())
.name(imageBackend.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:BackendBucketIamBinding
properties:
project: ${imageBackend.project}
name: ${imageBackend.name}
role: roles/viewer
members:
- user:jane@example.com
The resource grants the specified role to all members in the list. The role property defines the permission level (e.g., “roles/viewer”), and members lists the identities receiving access. This approach is authoritative for the role: it replaces any previous member list for that role, but leaves other roles untouched.
Add a single member to a role incrementally
Teams managing access individually can add one member at a time without affecting existing role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.BackendBucketIamMember("member", {
project: imageBackend.project,
name: imageBackend.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.BackendBucketIamMember("member",
project=image_backend["project"],
name=image_backend["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewBackendBucketIamMember(ctx, "member", &compute.BackendBucketIamMemberArgs{
Project: pulumi.Any(imageBackend.Project),
Name: pulumi.Any(imageBackend.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.BackendBucketIamMember("member", new()
{
Project = imageBackend.Project,
Name = imageBackend.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.BackendBucketIamMember;
import com.pulumi.gcp.compute.BackendBucketIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new BackendBucketIamMember("member", BackendBucketIamMemberArgs.builder()
.project(imageBackend.project())
.name(imageBackend.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:BackendBucketIamMember
properties:
project: ${imageBackend.project}
name: ${imageBackend.name}
role: roles/viewer
member: user:jane@example.com
BackendBucketIamMember adds a single member to a role non-authoritatively. Unlike BackendBucketIamBinding, this resource preserves other members who already have the same role. Use this when you need to grant access incrementally without managing the complete member list.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as backend buckets (imageBackend) and GCP projects. They focus on configuring IAM bindings rather than provisioning the underlying resources.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Full policy replacement (BackendBucketIamPolicy)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the BackendBucketIamBinding resource reference for all available configuration options.
Let's manage GCP Backend Bucket IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
BackendBucketIamPolicy is authoritative and replaces the entire IAM policy. BackendBucketIamBinding is authoritative for a specific role, preserving other roles. BackendBucketIamMember is non-authoritative, adding individual members while preserving existing members for that role.BackendBucketIamPolicy cannot be used with BackendBucketIamBinding or BackendBucketIamMember because they will conflict over the policy configuration.Configuration & Immutability
role, name, and project properties are immutable and cannot be changed after the resource is created.[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.Member Identity Formats
Supported formats include:
allUsersandallAuthenticatedUsersfor public accessuser:{email},serviceAccount:{email},group:{email}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner/Editor/Viewer:{projectid}for project-level roles- Federated identities using principal identifiers (see GCP documentation)