The gcp:bigtable/instanceIamMember:InstanceIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Bigtable instances by adding individual members to roles without affecting other role assignments. This guide focuses on three approaches: authoritative policy replacement, role-level member binding, and incremental single-member grants.
IAM management for Bigtable instances comes in three flavors: InstanceIamPolicy (replaces entire policy), InstanceIamBinding (manages all members for one role), and InstanceIamMember (adds one member to one role). These resources cannot be freely mixed; InstanceIamPolicy conflicts with the other two, while InstanceIamBinding and InstanceIamMember can coexist if they target different roles. The examples are intentionally small. Combine them with your own instance references and identity management.
Replace the entire IAM policy for an instance
When you need complete control over instance access, you can define the entire IAM policy in one place and replace any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/bigtable.user",
members: ["user:jane@example.com"],
}],
});
const editor = new gcp.bigtable.InstanceIamPolicy("editor", {
project: "your-project",
instance: "your-bigtable-instance",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/bigtable.user",
"members": ["user:jane@example.com"],
}])
editor = gcp.bigtable.InstanceIamPolicy("editor",
project="your-project",
instance="your-bigtable-instance",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/bigtable.user",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = bigtable.NewInstanceIamPolicy(ctx, "editor", &bigtable.InstanceIamPolicyArgs{
Project: pulumi.String("your-project"),
Instance: pulumi.String("your-bigtable-instance"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/bigtable.user",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var editor = new Gcp.BigTable.InstanceIamPolicy("editor", new()
{
Project = "your-project",
Instance = "your-bigtable-instance",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.bigtable.InstanceIamPolicy;
import com.pulumi.gcp.bigtable.InstanceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/bigtable.user")
.members("user:jane@example.com")
.build())
.build());
var editor = new InstanceIamPolicy("editor", InstanceIamPolicyArgs.builder()
.project("your-project")
.instance("your-bigtable-instance")
.policyData(admin.policyData())
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamPolicy
properties:
project: your-project
instance: your-bigtable-instance
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/bigtable.user
members:
- user:jane@example.com
The InstanceIamPolicy resource sets all permissions for the instance at once. The policyData comes from getIAMPolicy, which constructs a policy document from bindings (role and member lists). This approach is authoritative: it removes any permissions not explicitly listed, so use it carefully to avoid accidentally revoking access.
Grant a role to multiple members at once
Teams often need to grant the same role to several users or service accounts without affecting other roles already assigned to the instance.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.bigtable.InstanceIamBinding("editor", {
instance: "your-bigtable-instance",
role: "roles/bigtable.user",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.bigtable.InstanceIamBinding("editor",
instance="your-bigtable-instance",
role="roles/bigtable.user",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigtable.NewInstanceIamBinding(ctx, "editor", &bigtable.InstanceIamBindingArgs{
Instance: pulumi.String("your-bigtable-instance"),
Role: pulumi.String("roles/bigtable.user"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.BigTable.InstanceIamBinding("editor", new()
{
Instance = "your-bigtable-instance",
Role = "roles/bigtable.user",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamBinding;
import com.pulumi.gcp.bigtable.InstanceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new InstanceIamBinding("editor", InstanceIamBindingArgs.builder()
.instance("your-bigtable-instance")
.role("roles/bigtable.user")
.members("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamBinding
properties:
instance: your-bigtable-instance
role: roles/bigtable.user
members:
- user:jane@example.com
The InstanceIamBinding resource manages all members for a single role. The members array lists identities that receive the role; other roles on the instance remain unchanged. This is authoritative for the specified role only: if another InstanceIamBinding or InstanceIamMember targets the same role, they will conflict.
Add a single member to a role incrementally
When you need to grant access to one user or service account without disturbing existing members of that role, incremental grants avoid conflicts.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const editor = new gcp.bigtable.InstanceIamMember("editor", {
instance: "your-bigtable-instance",
role: "roles/bigtable.user",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
editor = gcp.bigtable.InstanceIamMember("editor",
instance="your-bigtable-instance",
role="roles/bigtable.user",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/bigtable"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := bigtable.NewInstanceIamMember(ctx, "editor", &bigtable.InstanceIamMemberArgs{
Instance: pulumi.String("your-bigtable-instance"),
Role: pulumi.String("roles/bigtable.user"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var editor = new Gcp.BigTable.InstanceIamMember("editor", new()
{
Instance = "your-bigtable-instance",
Role = "roles/bigtable.user",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.bigtable.InstanceIamMember;
import com.pulumi.gcp.bigtable.InstanceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var editor = new InstanceIamMember("editor", InstanceIamMemberArgs.builder()
.instance("your-bigtable-instance")
.role("roles/bigtable.user")
.member("user:jane@example.com")
.build());
}
}
resources:
editor:
type: gcp:bigtable:InstanceIamMember
properties:
instance: your-bigtable-instance
role: roles/bigtable.user
member: user:jane@example.com
The InstanceIamMember resource adds one member to one role without affecting other members of that role. The member property uses identity format prefixes (user:, serviceAccount:, group:, domain:, or special identifiers like allUsers). This is the most granular approach and can coexist with other InstanceIamMember resources as long as they don’t grant the same member-role pair.
Beyond these examples
These snippets focus on specific IAM management strategies: authoritative policy replacement, role-level binding management, and incremental member grants. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Bigtable instances and GCP projects. They focus on IAM binding configuration rather than provisioning the instances themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Service account creation and management
- Cross-project or organization-level policies
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Bigtable InstanceIamMember resource reference for all available configuration options.
Let's manage GCP Bigtable Instance IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
InstanceIamPolicy is authoritative and replaces the entire IAM policy. InstanceIamBinding is authoritative for a specific role but preserves other roles. InstanceIamMember is non-authoritative and preserves other members for the same role.InstanceIamPolicy with InstanceIamBinding or InstanceIamMember (they will conflict). You can use InstanceIamBinding with InstanceIamMember only if they grant different roles.InstanceIamPolicy alongside InstanceIamBinding or InstanceIamMember causes resources to fight over the policy. Use InstanceIamPolicy alone, or use only InstanceIamBinding and InstanceIamMember together (for different roles).InstanceIamPolicy replaces the entire policy and can unset ownership or other existing permissions if they’re not included in your configuration.InstanceIamMember to add individual members without affecting other members or roles.Configuration & Identity Formats
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, or domain:{domain}.[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.[projects/my-project|organizations/my-org]/roles/my-custom-role.Immutability & Limitations
instance, member, role, project, and condition cannot be changed after creation.InstanceIamBinding can be used per role. Use InstanceIamMember to add multiple members to the same role.