Manage GCP Bigtable Instance IAM Bindings

The gcp:bigtable/instanceIamBinding:InstanceIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Bigtable instances by granting a role to a list of members. This guide focuses on two capabilities: granting roles to multiple members and adding individual members to roles.

InstanceIamBinding is authoritative for a single role, meaning it replaces all members for that role. It works alongside InstanceIamMember for managing different roles, but cannot be used with InstanceIamPolicy (which replaces the entire policy). The examples are intentionally small. Combine them with your own Bigtable instances and identity management.

Grant a role to multiple members

Teams managing Bigtable access often need to grant the same role to multiple users, service accounts, or groups.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const editor = new gcp.bigtable.InstanceIamBinding("editor", {
    instance: "your-bigtable-instance",
    role: "roles/bigtable.user",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

editor = gcp.bigtable.InstanceIamBinding("editor",
    instance="your-bigtable-instance",
    role="roles/bigtable.user",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := bigtable.NewInstanceIamBinding(ctx, "editor", &bigtable.InstanceIamBindingArgs{
			Instance: pulumi.String("your-bigtable-instance"),
			Role:     pulumi.String("roles/bigtable.user"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var editor = new Gcp.BigTable.InstanceIamBinding("editor", new()
    {
        Instance = "your-bigtable-instance",
        Role = "roles/bigtable.user",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamBinding;
import com.pulumi.gcp.bigtable.InstanceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var editor = new InstanceIamBinding("editor", InstanceIamBindingArgs.builder()
            .instance("your-bigtable-instance")
            .role("roles/bigtable.user")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  editor:
    type: gcp:bigtable:InstanceIamBinding
    properties:
      instance: your-bigtable-instance
      role: roles/bigtable.user
      members:
        - user:jane@example.com

The members property lists all identities that receive the specified role. InstanceIamBinding is authoritative for this role, meaning it replaces any existing members. The instance property references your Bigtable instance by name, and role specifies the permission level (e.g., roles/bigtable.user for read/write access).

Add a single member to a role

When you need to grant access to one additional user without affecting other members, InstanceIamMember adds a single identity.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const editor = new gcp.bigtable.InstanceIamMember("editor", {
    instance: "your-bigtable-instance",
    role: "roles/bigtable.user",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

editor = gcp.bigtable.InstanceIamMember("editor",
    instance="your-bigtable-instance",
    role="roles/bigtable.user",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := bigtable.NewInstanceIamMember(ctx, "editor", &bigtable.InstanceIamMemberArgs{
			Instance: pulumi.String("your-bigtable-instance"),
			Role:     pulumi.String("roles/bigtable.user"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var editor = new Gcp.BigTable.InstanceIamMember("editor", new()
    {
        Instance = "your-bigtable-instance",
        Role = "roles/bigtable.user",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamMember;
import com.pulumi.gcp.bigtable.InstanceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var editor = new InstanceIamMember("editor", InstanceIamMemberArgs.builder()
            .instance("your-bigtable-instance")
            .role("roles/bigtable.user")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  editor:
    type: gcp:bigtable:InstanceIamMember
    properties:
      instance: your-bigtable-instance
      role: roles/bigtable.user
      member: user:jane@example.com

The member property (singular) specifies one identity to add to the role. Unlike InstanceIamBinding, InstanceIamMember is non-authoritative: it preserves existing members for the role. Use this when you want to grant access incrementally without managing the full member list.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and member management (binding vs member resources). They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Bigtable instances. They focus on configuring IAM bindings rather than provisioning the instances themselves.

To keep things focused, common IAM patterns are omitted, including:

  • IAM conditions for time-based or attribute-based access
  • Project-level configuration (uses default project)
  • Full policy replacement (InstanceIamPolicy)
  • Custom role definitions

These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the Bigtable InstanceIamBinding resource reference for all available configuration options.

Let's manage GCP Bigtable Instance IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
Which IAM resource should I use for managing Bigtable instance permissions?
Choose based on your needs: InstanceIamPolicy replaces the entire policy (authoritative), InstanceIamBinding manages all members for a specific role (authoritative per role), and InstanceIamMember adds individual members without affecting others (non-authoritative).
Can I use InstanceIamPolicy together with InstanceIamBinding or InstanceIamMember?
No, InstanceIamPolicy cannot be used with InstanceIamBinding or InstanceIamMember because they’ll conflict over the policy. Use InstanceIamPolicy alone, or use InstanceIamBinding and InstanceIamMember together for different roles.
Can I use multiple InstanceIamBinding resources for the same role?
No, only one InstanceIamBinding can be used per role. If you need to add members individually, use InstanceIamMember instead, or include all members in a single InstanceIamBinding.
What happens if I accidentally remove ownership with InstanceIamPolicy?
InstanceIamPolicy replaces the entire policy, so you can accidentally unset instance ownership if you don’t include all necessary bindings. Always ensure your policy includes required permissions.
Configuration & Member Formats
What member identifier formats can I use in the members list?
You can use: allUsers (anyone on the internet), allAuthenticatedUsers (anyone with a Google account), user:{email} (specific Google account), serviceAccount:{email} (service account), group:{email} (Google group), or domain:{domain} (G Suite domain).
How do I grant a role to multiple users at once?
Use InstanceIamBinding with a members array containing multiple identities, like ["user:alice@example.com", "user:bob@example.com"].
How do I grant a role to a single user without affecting other members?
Use InstanceIamMember with the member property set to a single identity like "user:jane@example.com". This adds the member without modifying other role assignments.
Roles & Permissions
How do I specify a custom IAM role?
Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/customBigtableRole.
Immutability & Updates
What properties can't I change after creating an InstanceIamBinding?
The instance, project, role, and condition properties are immutable. Changing any of these requires recreating the resource. You can modify the members list without recreation.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides