The gcp:beyondcorp/securityGatewayIamPolicy:SecurityGatewayIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for BeyondCorp security gateways, controlling who can access gateway resources. This guide focuses on three capabilities: authoritative policy replacement, role-based member assignment, and time-bound access with IAM Conditions.
BeyondCorp provides three IAM resource types for security gateways: SecurityGatewayIamPolicy (authoritative, replaces entire policy), SecurityGatewayIamBinding (authoritative per role, preserves other roles), and SecurityGatewayIamMember (non-authoritative, preserves other members). These resources cannot be mixed for the same gateway without causing conflicts. The examples are intentionally small. Combine them with your own security gateway infrastructure and access requirements.
Replace the entire IAM policy for a security gateway
When you need complete control over gateway access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/beyondcorp.securityGatewayUser",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.beyondcorp.SecurityGatewayIamPolicy("policy", {
project: example.project,
location: example.location,
securityGatewayId: example.securityGatewayId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/beyondcorp.securityGatewayUser",
"members": ["user:jane@example.com"],
}])
policy = gcp.beyondcorp.SecurityGatewayIamPolicy("policy",
project=example["project"],
location=example["location"],
security_gateway_id=example["securityGatewayId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/beyondcorp.securityGatewayUser",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = beyondcorp.NewSecurityGatewayIamPolicy(ctx, "policy", &beyondcorp.SecurityGatewayIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/beyondcorp.securityGatewayUser",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Beyondcorp.SecurityGatewayIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
SecurityGatewayId = example.SecurityGatewayId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamPolicy;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/beyondcorp.securityGatewayUser")
.members("user:jane@example.com")
.build())
.build());
var policy = new SecurityGatewayIamPolicy("policy", SecurityGatewayIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.securityGatewayId(example.securityGatewayId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:beyondcorp:SecurityGatewayIamPolicy
properties:
project: ${example.project}
location: ${example.location}
securityGatewayId: ${example.securityGatewayId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/beyondcorp.securityGatewayUser
members:
- user:jane@example.com
The SecurityGatewayIamPolicy resource is authoritative: it replaces the entire IAM policy for the security gateway. The policyData property accepts output from the getIAMPolicy data source, which defines bindings between roles and members. The securityGatewayId identifies which gateway receives the policy.
Grant a role to multiple members at once
Teams often need to grant the same role to several users or service accounts simultaneously, while preserving other roles already assigned to the gateway.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.beyondcorp.SecurityGatewayIamBinding("binding", {
project: example.project,
location: example.location,
securityGatewayId: example.securityGatewayId,
role: "roles/beyondcorp.securityGatewayUser",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.beyondcorp.SecurityGatewayIamBinding("binding",
project=example["project"],
location=example["location"],
security_gateway_id=example["securityGatewayId"],
role="roles/beyondcorp.securityGatewayUser",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := beyondcorp.NewSecurityGatewayIamBinding(ctx, "binding", &beyondcorp.SecurityGatewayIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
Role: pulumi.String("roles/beyondcorp.securityGatewayUser"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Beyondcorp.SecurityGatewayIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
SecurityGatewayId = example.SecurityGatewayId,
Role = "roles/beyondcorp.securityGatewayUser",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamBinding;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new SecurityGatewayIamBinding("binding", SecurityGatewayIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.securityGatewayId(example.securityGatewayId())
.role("roles/beyondcorp.securityGatewayUser")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:beyondcorp:SecurityGatewayIamBinding
properties:
project: ${example.project}
location: ${example.location}
securityGatewayId: ${example.securityGatewayId}
role: roles/beyondcorp.securityGatewayUser
members:
- user:jane@example.com
The SecurityGatewayIamBinding resource is authoritative for a single role but preserves other roles on the gateway. The members property accepts a list of identities (users, service accounts, groups) who receive the specified role. This approach works well when managing team-level access.
Add a single member to a role incrementally
When onboarding individual users or service accounts, you can add them to a role without affecting other members who already have that role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.beyondcorp.SecurityGatewayIamMember("member", {
project: example.project,
location: example.location,
securityGatewayId: example.securityGatewayId,
role: "roles/beyondcorp.securityGatewayUser",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.beyondcorp.SecurityGatewayIamMember("member",
project=example["project"],
location=example["location"],
security_gateway_id=example["securityGatewayId"],
role="roles/beyondcorp.securityGatewayUser",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := beyondcorp.NewSecurityGatewayIamMember(ctx, "member", &beyondcorp.SecurityGatewayIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
Role: pulumi.String("roles/beyondcorp.securityGatewayUser"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Beyondcorp.SecurityGatewayIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
SecurityGatewayId = example.SecurityGatewayId,
Role = "roles/beyondcorp.securityGatewayUser",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamMember;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new SecurityGatewayIamMember("member", SecurityGatewayIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.securityGatewayId(example.securityGatewayId())
.role("roles/beyondcorp.securityGatewayUser")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:beyondcorp:SecurityGatewayIamMember
properties:
project: ${example.project}
location: ${example.location}
securityGatewayId: ${example.securityGatewayId}
role: roles/beyondcorp.securityGatewayUser
member: user:jane@example.com
The SecurityGatewayIamMember resource is non-authoritative: it adds one member to a role without modifying existing members. The member property accepts a single identity string. This approach works well for incremental access grants and automated onboarding workflows.
Set time-bound access with IAM Conditions
Temporary access grants expire automatically when you use IAM Conditions, eliminating the need to manually revoke permissions later.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/beyondcorp.securityGatewayUser",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.beyondcorp.SecurityGatewayIamPolicy("policy", {
project: example.project,
location: example.location,
securityGatewayId: example.securityGatewayId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/beyondcorp.securityGatewayUser",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.beyondcorp.SecurityGatewayIamPolicy("policy",
project=example["project"],
location=example["location"],
security_gateway_id=example["securityGatewayId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/beyondcorp.securityGatewayUser",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = beyondcorp.NewSecurityGatewayIamPolicy(ctx, "policy", &beyondcorp.SecurityGatewayIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/beyondcorp.securityGatewayUser",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Beyondcorp.SecurityGatewayIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
SecurityGatewayId = example.SecurityGatewayId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamPolicy;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/beyondcorp.securityGatewayUser")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new SecurityGatewayIamPolicy("policy", SecurityGatewayIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.securityGatewayId(example.securityGatewayId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:beyondcorp:SecurityGatewayIamPolicy
properties:
project: ${example.project}
location: ${example.location}
securityGatewayId: ${example.securityGatewayId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/beyondcorp.securityGatewayUser
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions add temporal or attribute-based constraints to role bindings. The condition block requires a title, optional description, and an expression using Common Expression Language (CEL). The expression “request.time < timestamp(…)” creates an expiration date. Conditions work with all three IAM resource types (Policy, Binding, Member).
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs incremental IAM management, role and member assignment, and time-based access with IAM Conditions. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as BeyondCorp security gateways and GCP project and location configuration. They focus on configuring IAM policies rather than provisioning the gateways themselves.
To keep things focused, common IAM patterns are omitted, including:
- Custom role definitions and management
- Audit logging configuration
- Policy conflict resolution between resource types
- Condition expressions beyond time-based access
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the SecurityGatewayIamPolicy resource reference for all available configuration options.
Let's manage GCP BeyondCorp Security Gateway IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Which IAM resource should I use to manage SecurityGateway permissions?
Choose based on your management approach:
SecurityGatewayIamPolicy is authoritative and replaces the entire IAM policy, SecurityGatewayIamBinding is authoritative for a specific role (preserving other roles), and SecurityGatewayIamMember is non-authoritative (adds individual members without affecting others).Can I use SecurityGatewayIamPolicy with SecurityGatewayIamBinding or SecurityGatewayIamMember?
No,
SecurityGatewayIamPolicy cannot be used with SecurityGatewayIamBinding or SecurityGatewayIamMember because they will conflict over policy management.Can I use SecurityGatewayIamBinding and SecurityGatewayIamMember together?
Yes, but only if they don’t grant privileges to the same role. Using both for the same role will cause conflicts.
IAM Conditions
What are the limitations of IAM Conditions for SecurityGateway?
IAM Conditions are supported but have known limitations. Review the GCP IAM Conditions documentation if you encounter issues.
How do I add time-based access restrictions using IAM Conditions?
Add a
condition block with title, description, and expression fields. For example, use request.time < timestamp("2020-01-01T00:00:00Z") to expire access at a specific time.Configuration & Setup
What value should I use for the location parameter?
The
location parameter must be omitted or set to global. This field is immutable after creation.How do I generate the policyData for SecurityGatewayIamPolicy?
Use the
gcp.organizations.getIAMPolicy data source to generate policyData, specifying bindings with roles and members.Import & Migration
How do I import a SecurityGateway IAM resource with a custom role?
Use the full custom role name in the format
projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role when importing.