The gcp:bigtable/instanceIamPolicy:InstanceIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Bigtable instances, controlling who can access and operate on instance resources. This guide focuses on three approaches: authoritative policy replacement (InstanceIamPolicy), role-level member management (InstanceIamBinding), and individual member grants (InstanceIamMember).
These resources reference existing Bigtable instances and follow strict compatibility rules: InstanceIamPolicy replaces the entire policy and cannot be used with InstanceIamBinding or InstanceIamMember. InstanceIamBinding and InstanceIamMember can coexist if they manage different roles. The examples are intentionally small. Choose the approach that matches your IAM management strategy.
Replace the entire IAM policy with a complete definition
When you need full control over all IAM bindings for a Bigtable instance, you can define the complete policy in one place and replace any existing configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/bigtable.user",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.bigtable.InstanceIamPolicy("editor", {
project: "your-project",
instance: "your-bigtable-instance",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/bigtable.user",
"members": ["user:jane@example.com"],
}])
editor = gcp.bigtable.InstanceIamPolicy("editor",
project="your-project",
instance="your-bigtable-instance",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/bigtable.user",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = bigtable.NewInstanceIamPolicy(ctx, "editor", &bigtable.InstanceIamPolicyArgs{
Project: pulumi.String("your-project"),
Instance: pulumi.String("your-bigtable-instance"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/bigtable.user",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.BigTable.InstanceIamPolicy("editor", new()
{
Project = "your-project",
Instance = "your-bigtable-instance",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.bigtable.InstanceIamPolicy;
import com.pulumi.gcp.bigtable.InstanceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/bigtable.user")
.members("user:jane@example.com")
.build())
.build());
var editor = new InstanceIamPolicy("editor", InstanceIamPolicyArgs.builder()
.project("your-project")
.instance("your-bigtable-instance")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamPolicy
properties:
project: your-project
instance: your-bigtable-instance
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/bigtable.user
members:
- user:jane@example.com
The InstanceIamPolicy resource sets the entire IAM policy authoritatively. The policyData property accepts output from getIAMPolicy, which defines bindings as role-to-members mappings. When you apply this resource, it replaces all existing bindings on the instance, so any grants not listed in the policy document are removed.
Grant a role to multiple members at once
When multiple users or service accounts need the same role, you can bind them all in a single resource rather than creating separate grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.bigtable.InstanceIamBinding("editor", {
instance: "your-bigtable-instance",
role: "roles/bigtable.user",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.bigtable.InstanceIamBinding("editor",
instance="your-bigtable-instance",
role="roles/bigtable.user",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigtable.NewInstanceIamBinding(ctx, "editor", &bigtable.InstanceIamBindingArgs{
Instance: pulumi.String("your-bigtable-instance"),
Role: pulumi.String("roles/bigtable.user"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.BigTable.InstanceIamBinding("editor", new()
{
Instance = "your-bigtable-instance",
Role = "roles/bigtable.user",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamBinding;
import com.pulumi.gcp.bigtable.InstanceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new InstanceIamBinding("editor", InstanceIamBindingArgs.builder()
.instance("your-bigtable-instance")
.role("roles/bigtable.user")
.members("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamBinding
properties:
instance: your-bigtable-instance
role: roles/bigtable.user
members:
- user:jane@example.com
The InstanceIamBinding resource manages all members for a specific role. The members property lists everyone who should have that role. This resource is authoritative for its role: it replaces the member list for roles/bigtable.user but leaves other roles untouched. Other InstanceIamBinding resources can manage different roles on the same instance.
Add a single member to a role incrementally
When you need to grant access to one user without affecting other members of the role, you can add them individually while preserving existing grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.bigtable.InstanceIamMember("editor", {
instance: "your-bigtable-instance",
role: "roles/bigtable.user",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.bigtable.InstanceIamMember("editor",
instance="your-bigtable-instance",
role="roles/bigtable.user",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigtable.NewInstanceIamMember(ctx, "editor", &bigtable.InstanceIamMemberArgs{
Instance: pulumi.String("your-bigtable-instance"),
Role: pulumi.String("roles/bigtable.user"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.BigTable.InstanceIamMember("editor", new()
{
Instance = "your-bigtable-instance",
Role = "roles/bigtable.user",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamMember;
import com.pulumi.gcp.bigtable.InstanceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new InstanceIamMember("editor", InstanceIamMemberArgs.builder()
.instance("your-bigtable-instance")
.role("roles/bigtable.user")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamMember
properties:
instance: your-bigtable-instance
role: roles/bigtable.user
member: user:jane@example.com
The InstanceIamMember resource adds one member to a role non-authoritatively. The member property specifies a single identity. This resource preserves existing members of the role, making it safe to use alongside other InstanceIamMember resources that grant the same role to different users.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs incremental IAM management, and role binding and member assignment. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Bigtable instances and GCP projects. They focus on IAM policy configuration rather than provisioning the instances themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Multiple roles in a single policy
- Service account and group identities
- Custom role definitions
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Bigtable InstanceIamPolicy resource reference for all available configuration options.
Let's manage GCP Bigtable Instance IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
InstanceIamPolicy is authoritative and replaces the entire IAM policy. InstanceIamBinding is authoritative for a specific role, preserving other roles. InstanceIamMember is non-authoritative and adds a single member to a role without affecting other members.InstanceIamPolicy cannot be used with InstanceIamBinding or InstanceIamMember because they’ll conflict over the policy. Use InstanceIamPolicy alone, or use InstanceIamBinding and InstanceIamMember without InstanceIamPolicy.InstanceIamPolicy replaces the entire policy, so you can accidentally remove ownership bindings. Ensure all necessary permissions are included when using this resource.Configuration & Properties
instance and project are immutable and cannot be changed after the resource is created.[projects/my-project|organizations/my-org]/roles/my-custom-role.