Manage GCP BeyondCorp Security Gateway IAM Policies

The gcp:beyondcorp/securityGatewayIamPolicy:SecurityGatewayIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for BeyondCorp security gateways, controlling which identities can access gateway resources. This guide focuses on two capabilities: role-based member management and time-based conditional access.

BeyondCorp provides three IAM resources with different update behaviors. SecurityGatewayIamPolicy replaces the entire policy (authoritative). SecurityGatewayIamBinding manages all members for a specific role (authoritative for that role). SecurityGatewayIamMember adds individual members to roles (non-authoritative). The examples are intentionally small. Combine them with your own security gateways and identity management.

Grant a role to multiple members with Binding

When managing access for groups or service accounts, you often need to grant a role to multiple members while preserving other roles on the gateway.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.beyondcorp.SecurityGatewayIamBinding("binding", {
    project: example.project,
    location: example.location,
    securityGatewayId: example.securityGatewayId,
    role: "roles/beyondcorp.securityGatewayUser",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.beyondcorp.SecurityGatewayIamBinding("binding",
    project=example["project"],
    location=example["location"],
    security_gateway_id=example["securityGatewayId"],
    role="roles/beyondcorp.securityGatewayUser",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := beyondcorp.NewSecurityGatewayIamBinding(ctx, "binding", &beyondcorp.SecurityGatewayIamBindingArgs{
			Project:           pulumi.Any(example.Project),
			Location:          pulumi.Any(example.Location),
			SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
			Role:              pulumi.String("roles/beyondcorp.securityGatewayUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Beyondcorp.SecurityGatewayIamBinding("binding", new()
    {
        Project = example.Project,
        Location = example.Location,
        SecurityGatewayId = example.SecurityGatewayId,
        Role = "roles/beyondcorp.securityGatewayUser",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamBinding;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new SecurityGatewayIamBinding("binding", SecurityGatewayIamBindingArgs.builder()
            .project(example.project())
            .location(example.location())
            .securityGatewayId(example.securityGatewayId())
            .role("roles/beyondcorp.securityGatewayUser")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:beyondcorp:SecurityGatewayIamBinding
    properties:
      project: ${example.project}
      location: ${example.location}
      securityGatewayId: ${example.securityGatewayId}
      role: roles/beyondcorp.securityGatewayUser
      members:
        - user:jane@example.com

The SecurityGatewayIamBinding resource grants the specified role to all listed members. The members array accepts user accounts, service accounts, and groups. This resource is authoritative for the specified role: it replaces any existing member list for that role but leaves other roles unchanged.

Add a single member to a role with Member

To add individual users without affecting others already granted the role, use the Member resource.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.beyondcorp.SecurityGatewayIamMember("member", {
    project: example.project,
    location: example.location,
    securityGatewayId: example.securityGatewayId,
    role: "roles/beyondcorp.securityGatewayUser",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.beyondcorp.SecurityGatewayIamMember("member",
    project=example["project"],
    location=example["location"],
    security_gateway_id=example["securityGatewayId"],
    role="roles/beyondcorp.securityGatewayUser",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := beyondcorp.NewSecurityGatewayIamMember(ctx, "member", &beyondcorp.SecurityGatewayIamMemberArgs{
			Project:           pulumi.Any(example.Project),
			Location:          pulumi.Any(example.Location),
			SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
			Role:              pulumi.String("roles/beyondcorp.securityGatewayUser"),
			Member:            pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Beyondcorp.SecurityGatewayIamMember("member", new()
    {
        Project = example.Project,
        Location = example.Location,
        SecurityGatewayId = example.SecurityGatewayId,
        Role = "roles/beyondcorp.securityGatewayUser",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamMember;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new SecurityGatewayIamMember("member", SecurityGatewayIamMemberArgs.builder()
            .project(example.project())
            .location(example.location())
            .securityGatewayId(example.securityGatewayId())
            .role("roles/beyondcorp.securityGatewayUser")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:beyondcorp:SecurityGatewayIamMember
    properties:
      project: ${example.project}
      location: ${example.location}
      securityGatewayId: ${example.securityGatewayId}
      role: roles/beyondcorp.securityGatewayUser
      member: user:jane@example.com

The SecurityGatewayIamMember resource adds one member to a role without removing existing members. The member property accepts a single identity (user, service account, or group). Multiple Member resources can target the same role, each adding one identity.

Apply time-based access with IAM Conditions

Organizations with compliance requirements often grant temporary access that expires automatically.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.beyondcorp.SecurityGatewayIamBinding("binding", {
    project: example.project,
    location: example.location,
    securityGatewayId: example.securityGatewayId,
    role: "roles/beyondcorp.securityGatewayUser",
    members: ["user:jane@example.com"],
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.beyondcorp.SecurityGatewayIamBinding("binding",
    project=example["project"],
    location=example["location"],
    security_gateway_id=example["securityGatewayId"],
    role="roles/beyondcorp.securityGatewayUser",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/beyondcorp"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := beyondcorp.NewSecurityGatewayIamBinding(ctx, "binding", &beyondcorp.SecurityGatewayIamBindingArgs{
			Project:           pulumi.Any(example.Project),
			Location:          pulumi.Any(example.Location),
			SecurityGatewayId: pulumi.Any(example.SecurityGatewayId),
			Role:              pulumi.String("roles/beyondcorp.securityGatewayUser"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &beyondcorp.SecurityGatewayIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Beyondcorp.SecurityGatewayIamBinding("binding", new()
    {
        Project = example.Project,
        Location = example.Location,
        SecurityGatewayId = example.SecurityGatewayId,
        Role = "roles/beyondcorp.securityGatewayUser",
        Members = new[]
        {
            "user:jane@example.com",
        },
        Condition = new Gcp.Beyondcorp.Inputs.SecurityGatewayIamBindingConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamBinding;
import com.pulumi.gcp.beyondcorp.SecurityGatewayIamBindingArgs;
import com.pulumi.gcp.beyondcorp.inputs.SecurityGatewayIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new SecurityGatewayIamBinding("binding", SecurityGatewayIamBindingArgs.builder()
            .project(example.project())
            .location(example.location())
            .securityGatewayId(example.securityGatewayId())
            .role("roles/beyondcorp.securityGatewayUser")
            .members("user:jane@example.com")
            .condition(SecurityGatewayIamBindingConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());

    }
}

resources:
  binding:
    type: gcp:beyondcorp:SecurityGatewayIamBinding
    properties:
      project: ${example.project}
      location: ${example.location}
      securityGatewayId: ${example.securityGatewayId}
      role: roles/beyondcorp.securityGatewayUser
      members:
        - user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

IAM Conditions restrict when a role binding applies. The condition block requires a title and expression. The expression uses Common Expression Language (CEL) to evaluate request context. Here, request.time < timestamp("2020-01-01T00:00:00Z") grants access only before the specified date. Conditions work with all three IAM resource types but have limitations documented in the GCP IAM Conditions overview.

Beyond these examples

These snippets focus on specific IAM management features: authoritative and non-authoritative IAM management, role-based access control, and time-based conditional access. They’re intentionally minimal rather than full access control systems.

The examples reference pre-existing infrastructure such as BeyondCorp security gateways and GCP projects and locations. They focus on configuring IAM policies rather than provisioning the underlying gateways.

To keep things focused, common IAM patterns are omitted, including:

  • Full policy replacement with SecurityGatewayIamPolicy
  • Complex condition expressions (attribute-based access)
  • Audit logging and policy change tracking
  • Service account impersonation patterns

These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the BeyondCorp SecurityGatewayIamPolicy resource reference for all available configuration options.

Let's manage GCP BeyondCorp Security Gateway IAM Policies

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Compatibility
Can I use SecurityGatewayIamPolicy with SecurityGatewayIamBinding or SecurityGatewayIamMember?
No, SecurityGatewayIamPolicy cannot be used with SecurityGatewayIamBinding or SecurityGatewayIamMember because they will conflict over policy control. Use SecurityGatewayIamPolicy alone for full policy management, or use SecurityGatewayIamBinding/SecurityGatewayIamMember together.
Can I use SecurityGatewayIamBinding with SecurityGatewayIamMember?
Yes, but only if they don’t grant privilege to the same role. If both resources manage the same role, they will conflict.
Which IAM resource should I use for managing SecurityGateway permissions?

Choose based on your needs:

  • SecurityGatewayIamPolicy - Authoritative, replaces the entire IAM policy
  • SecurityGatewayIamBinding - Authoritative for a specific role, preserves other roles
  • SecurityGatewayIamMember - Non-authoritative, adds a single member while preserving others
Configuration & Requirements
What value should I use for the location property?
The location property must be omitted or set to global. If not specified, it will be parsed from the parent resource identifier or taken from the provider configuration.
How do I generate the policyData for SecurityGatewayIamPolicy?
Use the gcp.organizations.getIAMPolicy data source to generate policyData. Pass the bindings with roles and members, then reference the data source’s policyData output.
Are there limitations when using IAM Conditions?
Yes, IAM Conditions are supported through the condition property (with title, description, and expression fields), but they have known limitations. Review the GCP IAM Conditions documentation before using them.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides