The gcp:binaryauthorization/attestorIamBinding:AttestorIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Binary Authorization attestors. It controls which identities can access attestor resources by granting roles to lists of members. This guide focuses on two capabilities: granting roles to multiple members and adding individual members to roles.
IAM bindings reference existing attestors and require a GCP project with Binary Authorization enabled. The examples are intentionally small. Combine them with your own attestor resources and organizational identity management.
Grant a role to multiple members at once
Teams managing attestors often need to grant the same role to multiple users or service accounts simultaneously, such as giving viewer access to auditors or CI/CD pipelines.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.binaryauthorization.AttestorIamBinding("binding", {
project: attestor.project,
attestor: attestor.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.binaryauthorization.AttestorIamBinding("binding",
project=attestor["project"],
attestor=attestor["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := binaryauthorization.NewAttestorIamBinding(ctx, "binding", &binaryauthorization.AttestorIamBindingArgs{
Project: pulumi.Any(attestor.Project),
Attestor: pulumi.Any(attestor.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.BinaryAuthorization.AttestorIamBinding("binding", new()
{
Project = attestor.Project,
Attestor = attestor.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.binaryauthorization.AttestorIamBinding;
import com.pulumi.gcp.binaryauthorization.AttestorIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new AttestorIamBinding("binding", AttestorIamBindingArgs.builder()
.project(attestor.project())
.attestor(attestor.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:binaryauthorization:AttestorIamBinding
properties:
project: ${attestor.project}
attestor: ${attestor.name}
role: roles/viewer
members:
- user:jane@example.com
The AttestorIamBinding resource is authoritative for the specified role: it replaces the entire member list for that role while preserving other roles on the attestor. The members array accepts various identity formats including users, service accounts, groups, and federated identities. Each binding manages one role; use multiple bindings for different roles.
Add a single member to an existing role
When onboarding individual users or service accounts, you can add them one at a time without affecting existing members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.binaryauthorization.AttestorIamMember("member", {
project: attestor.project,
attestor: attestor.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.binaryauthorization.AttestorIamMember("member",
project=attestor["project"],
attestor=attestor["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/binaryauthorization"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := binaryauthorization.NewAttestorIamMember(ctx, "member", &binaryauthorization.AttestorIamMemberArgs{
Project: pulumi.Any(attestor.Project),
Attestor: pulumi.Any(attestor.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.BinaryAuthorization.AttestorIamMember("member", new()
{
Project = attestor.Project,
Attestor = attestor.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.binaryauthorization.AttestorIamMember;
import com.pulumi.gcp.binaryauthorization.AttestorIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new AttestorIamMember("member", AttestorIamMemberArgs.builder()
.project(attestor.project())
.attestor(attestor.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:binaryauthorization:AttestorIamMember
properties:
project: ${attestor.project}
attestor: ${attestor.name}
role: roles/viewer
member: user:jane@example.com
The AttestorIamMember resource is non-authoritative: it adds a single member to a role without replacing existing members. This is useful for incremental access grants. You can use AttestorIamMember alongside AttestorIamBinding as long as they don’t manage the same role, which would cause conflicts.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and member management (bulk and individual). They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Binary Authorization attestors and a GCP project with Binary Authorization enabled. They focus on configuring IAM bindings rather than provisioning attestors or projects.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Full policy replacement (AttestorIamPolicy resource)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the AttestorIamBinding resource reference for all available configuration options.
Let's manage GCP Binary Authorization Attestor IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
AttestorIamPolicy is authoritative and replaces the entire IAM policy. AttestorIamBinding is authoritative for a specific role, preserving other roles. AttestorIamMember is non-authoritative and adds a single member to a role without affecting other members.AttestorIamPolicy cannot be used with AttestorIamBinding or AttestorIamMember as they will conflict over the policy configuration.Configuration & Member Formats
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities using principal:// URIs.[projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/my-custom-role).Immutability & Updates
attestor, project, role, and condition properties cannot be changed after creation. Only members can be updated.AttestorIamBinding resource can be used per role. To add multiple members to a role, include them all in the members array or use AttestorIamMember resources.