The gcp:compute/backendBucketIamMember:BackendBucketIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Compute Engine backend buckets. GCP provides three related resources for IAM management, each with different levels of control: BackendBucketIamPolicy (authoritative for entire policy), BackendBucketIamBinding (authoritative for a single role), and BackendBucketIamMember (non-authoritative for individual members). This guide focuses on understanding when to use each approach.
All three resources reference an existing backend bucket and require appropriate GCP project permissions. The examples are intentionally small. Combine them with your own backend bucket infrastructure and organizational IAM policies.
Replace the entire IAM policy for a backend bucket
When you need complete control over who can access a backend bucket, BackendBucketIamPolicy sets the entire IAM policy at once.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.compute.BackendBucketIamPolicy("policy", {
project: imageBackend.project,
name: imageBackend.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.compute.BackendBucketIamPolicy("policy",
project=image_backend["project"],
name=image_backend["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewBackendBucketIamPolicy(ctx, "policy", &compute.BackendBucketIamPolicyArgs{
Project: pulumi.Any(imageBackend.Project),
Name: pulumi.Any(imageBackend.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Compute.BackendBucketIamPolicy("policy", new()
{
Project = imageBackend.Project,
Name = imageBackend.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.BackendBucketIamPolicy;
import com.pulumi.gcp.compute.BackendBucketIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new BackendBucketIamPolicy("policy", BackendBucketIamPolicyArgs.builder()
.project(imageBackend.project())
.name(imageBackend.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:BackendBucketIamPolicy
properties:
project: ${imageBackend.project}
name: ${imageBackend.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
This resource is authoritative: it replaces any existing policy on the backend bucket. The policyData comes from getIAMPolicy, which constructs a policy document from bindings. Each binding maps a role to a list of members. Use this approach when you want to define the complete permission set in one place, but be aware it will remove any permissions not explicitly listed.
Grant a role to multiple members at once
When multiple users or service accounts need the same level of access, BackendBucketIamBinding assigns them all to a role in a single resource.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.BackendBucketIamBinding("binding", {
project: imageBackend.project,
name: imageBackend.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.BackendBucketIamBinding("binding",
project=image_backend["project"],
name=image_backend["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewBackendBucketIamBinding(ctx, "binding", &compute.BackendBucketIamBindingArgs{
Project: pulumi.Any(imageBackend.Project),
Name: pulumi.Any(imageBackend.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.BackendBucketIamBinding("binding", new()
{
Project = imageBackend.Project,
Name = imageBackend.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.BackendBucketIamBinding;
import com.pulumi.gcp.compute.BackendBucketIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new BackendBucketIamBinding("binding", BackendBucketIamBindingArgs.builder()
.project(imageBackend.project())
.name(imageBackend.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:BackendBucketIamBinding
properties:
project: ${imageBackend.project}
name: ${imageBackend.name}
role: roles/viewer
members:
- user:jane@example.com
This resource is authoritative for the specified role: it controls the complete list of members for that role while preserving other roles on the backend bucket. The members property accepts a list of identity strings. This approach works well when you manage teams or groups that share the same permission level. You can use multiple BackendBucketIamBinding resources for different roles, but only one binding per role.
Add a single member to a role incrementally
When you need to grant access to one user without affecting existing permissions, BackendBucketIamMember adds individual members to roles.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.BackendBucketIamMember("member", {
project: imageBackend.project,
name: imageBackend.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.BackendBucketIamMember("member",
project=image_backend["project"],
name=image_backend["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewBackendBucketIamMember(ctx, "member", &compute.BackendBucketIamMemberArgs{
Project: pulumi.Any(imageBackend.Project),
Name: pulumi.Any(imageBackend.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.BackendBucketIamMember("member", new()
{
Project = imageBackend.Project,
Name = imageBackend.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.BackendBucketIamMember;
import com.pulumi.gcp.compute.BackendBucketIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new BackendBucketIamMember("member", BackendBucketIamMemberArgs.builder()
.project(imageBackend.project())
.name(imageBackend.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:BackendBucketIamMember
properties:
project: ${imageBackend.project}
name: ${imageBackend.name}
role: roles/viewer
member: user:jane@example.com
This resource is non-authoritative: it adds one member to a role without removing other members. The member property (singular) accepts a single identity string. This is the safest approach for incremental changes because it won’t accidentally remove permissions granted elsewhere. You can combine multiple BackendBucketIamMember resources for the same role, and they can coexist with BackendBucketIamBinding resources as long as they target different roles.
Beyond these examples
These snippets focus on specific IAM management features: authoritative and non-authoritative IAM management, and role-based access control. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as backend buckets and GCP projects with appropriate permissions. They focus on configuring IAM permissions rather than provisioning the underlying resources.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Service account creation and management
- Backend bucket creation and configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the BackendBucketIamMember resource reference for all available configuration options.
Let's manage GCP Backend Bucket IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
BackendBucketIamPolicy is authoritative and replaces the entire IAM policy. BackendBucketIamBinding is authoritative for a specific role but preserves other roles. BackendBucketIamMember is non-authoritative and adds a single member to a role while preserving existing members.BackendBucketIamPolicy cannot be used with BackendBucketIamBinding or BackendBucketIamMember because they will fight over the policy. Use either Policy alone (authoritative) or Binding/Member (non-authoritative), but not both.Identity & Role Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.member, role, name, project, and condition. Changes to any of these require recreating the resource.Import & Migration
pulumi import gcp:compute/backendBucketIamMember:BackendBucketIamMember editor "projects/{{project}}/global/backendBuckets/{{backend_bucket}} roles/viewer user:jane@example.com". For custom roles, use the full role name format.