The gcp:bigtable/instanceIamMember:InstanceIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Bigtable instances by adding individual members to roles without affecting other permissions. This guide focuses on two capabilities: non-authoritative member grants and authoritative policy replacement.
IAM resources reference existing Bigtable instances and require appropriate project permissions. The examples are intentionally small. Combine them with your own instance configuration and access requirements.
Replace the entire IAM policy for an instance
When you need complete control over who can access a Bigtable instance, you can define the entire policy in one place and replace any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/bigtable.user",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.bigtable.InstanceIamPolicy("editor", {
project: "your-project",
instance: "your-bigtable-instance",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/bigtable.user",
"members": ["user:jane@example.com"],
}])
editor = gcp.bigtable.InstanceIamPolicy("editor",
project="your-project",
instance="your-bigtable-instance",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/bigtable.user",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = bigtable.NewInstanceIamPolicy(ctx, "editor", &bigtable.InstanceIamPolicyArgs{
Project: pulumi.String("your-project"),
Instance: pulumi.String("your-bigtable-instance"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/bigtable.user",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.BigTable.InstanceIamPolicy("editor", new()
{
Project = "your-project",
Instance = "your-bigtable-instance",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.bigtable.InstanceIamPolicy;
import com.pulumi.gcp.bigtable.InstanceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/bigtable.user")
.members("user:jane@example.com")
.build())
.build());
var editor = new InstanceIamPolicy("editor", InstanceIamPolicyArgs.builder()
.project("your-project")
.instance("your-bigtable-instance")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamPolicy
properties:
project: your-project
instance: your-bigtable-instance
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/bigtable.user
members:
- user:jane@example.com
The InstanceIamPolicy resource sets the complete IAM policy for the instance. The getIAMPolicy function constructs a policy document from bindings, which define roles and their members. The policyData property contains the serialized policy. This approach is authoritative: it replaces all existing permissions, so be careful not to accidentally remove ownership or critical access.
Grant a role to a single member
Most access grants add one identity to one role without affecting other permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.bigtable.InstanceIamMember("editor", {
instance: "your-bigtable-instance",
role: "roles/bigtable.user",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.bigtable.InstanceIamMember("editor",
instance="your-bigtable-instance",
role="roles/bigtable.user",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigtable.NewInstanceIamMember(ctx, "editor", &bigtable.InstanceIamMemberArgs{
Instance: pulumi.String("your-bigtable-instance"),
Role: pulumi.String("roles/bigtable.user"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.BigTable.InstanceIamMember("editor", new()
{
Instance = "your-bigtable-instance",
Role = "roles/bigtable.user",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamMember;
import com.pulumi.gcp.bigtable.InstanceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new InstanceIamMember("editor", InstanceIamMemberArgs.builder()
.instance("your-bigtable-instance")
.role("roles/bigtable.user")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamMember
properties:
instance: your-bigtable-instance
role: roles/bigtable.user
member: user:jane@example.com
The InstanceIamMember resource adds a single member to a role non-authoritatively. The member property specifies the identity (user, serviceAccount, group, or domain), and the role property defines the permission level. Other members with the same role and all other roles remain unchanged. This is the safest way to grant incremental access.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, and policy-level and member-level access control. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Bigtable instances and GCP projects. They focus on configuring IAM permissions rather than provisioning the instances themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Service account and group member types
- Custom role definitions
- InstanceIamBinding for role-level management
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Bigtable InstanceIamMember resource reference for all available configuration options.
Let's manage GCP Bigtable Instance IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.bigtable.InstanceIamPolicy cannot be used with gcp.bigtable.InstanceIamBinding or gcp.bigtable.InstanceIamMember because they will conflict over the policy. Use InstanceIamPolicy alone, or use InstanceIamBinding and InstanceIamMember together without Policy.gcp.bigtable.InstanceIamPolicy. Since it replaces the entire IAM policy, you can unintentionally remove existing ownership bindings. Ensure all necessary bindings are included in your policy.gcp.bigtable.InstanceIamPolicy is authoritative and replaces the entire IAM policy. gcp.bigtable.InstanceIamBinding is authoritative for a specific role, preserving other roles. gcp.bigtable.InstanceIamMember is non-authoritative and adds a single member to a role, preserving other members.Configuration & Identity Formats
allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, or domain:{domain} as member identities.[projects|organizations]/{parent-name}/roles/{role-name}.Immutability & Limitations
instance, member, role, project, and condition. Changes to any of these require resource replacement.