The gcp:certificateauthority/caPoolIamMember:CaPoolIamMember resource, part of the Pulumi GCP provider, grants IAM permissions to individual members for Certificate Authority Service CA pools. This resource performs non-authoritative updates, meaning it adds a single member to a role without affecting other existing members. This guide focuses on two capabilities: basic member grants and time-based access with IAM conditions.
CaPoolIamMember is one of three IAM resources for CA pools. CaPoolIamPolicy replaces the entire policy (authoritative), CaPoolIamBinding manages all members for a role (authoritative for that role), and CaPoolIamMember adds individual members (non-authoritative). These resources have compatibility constraints: CaPoolIamPolicy cannot be used with the other two, and CaPoolIamBinding can coexist with CaPoolIamMember only if they manage different roles. The examples are intentionally small. Combine them with your own CA pool infrastructure and access requirements.
Grant a single user access to a CA pool
When managing private certificate authorities, you often need to grant individual users permission to request certificates without replacing existing access grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.certificateauthority.CaPoolIamMember("member", {
caPool: _default.id,
role: "roles/privateca.certificateManager",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.certificateauthority.CaPoolIamMember("member",
ca_pool=default["id"],
role="roles/privateca.certificateManager",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPoolIamMember(ctx, "member", &certificateauthority.CaPoolIamMemberArgs{
CaPool: pulumi.Any(_default.Id),
Role: pulumi.String("roles/privateca.certificateManager"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CertificateAuthority.CaPoolIamMember("member", new()
{
CaPool = @default.Id,
Role = "roles/privateca.certificateManager",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPoolIamMember;
import com.pulumi.gcp.certificateauthority.CaPoolIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new CaPoolIamMember("member", CaPoolIamMemberArgs.builder()
.caPool(default_.id())
.role("roles/privateca.certificateManager")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:certificateauthority:CaPoolIamMember
properties:
caPool: ${default.id}
role: roles/privateca.certificateManager
member: user:jane@example.com
The member property specifies who receives access, using formats like “user:email@example.com” for Google accounts or “serviceAccount:email@project.iam.gserviceaccount.com” for service accounts. The role property defines what they can do; “roles/privateca.certificateManager” allows certificate issuance and management. Because CaPoolIamMember is non-authoritative, it preserves other members already granted this role.
Add time-limited access with IAM conditions
Organizations with compliance requirements can grant access that automatically expires at a specific date and time.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.certificateauthority.CaPoolIamMember("member", {
caPool: _default.id,
role: "roles/privateca.certificateManager",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
member = gcp.certificateauthority.CaPoolIamMember("member",
ca_pool=default["id"],
role="roles/privateca.certificateManager",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/certificateauthority"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := certificateauthority.NewCaPoolIamMember(ctx, "member", &certificateauthority.CaPoolIamMemberArgs{
CaPool: pulumi.Any(_default.Id),
Role: pulumi.String("roles/privateca.certificateManager"),
Member: pulumi.String("user:jane@example.com"),
Condition: &certificateauthority.CaPoolIamMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CertificateAuthority.CaPoolIamMember("member", new()
{
CaPool = @default.Id,
Role = "roles/privateca.certificateManager",
Member = "user:jane@example.com",
Condition = new Gcp.CertificateAuthority.Inputs.CaPoolIamMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.certificateauthority.CaPoolIamMember;
import com.pulumi.gcp.certificateauthority.CaPoolIamMemberArgs;
import com.pulumi.gcp.certificateauthority.inputs.CaPoolIamMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new CaPoolIamMember("member", CaPoolIamMemberArgs.builder()
.caPool(default_.id())
.role("roles/privateca.certificateManager")
.member("user:jane@example.com")
.condition(CaPoolIamMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
member:
type: gcp:certificateauthority:CaPoolIamMember
properties:
caPool: ${default.id}
role: roles/privateca.certificateManager
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal constraints to the permission grant. The expression property uses CEL (Common Expression Language) to define when access is valid; here, it expires at midnight on 2020-01-01. The title and description properties document the condition’s purpose. IAM conditions have known limitations documented by Google Cloud, particularly around certain resource types and condition complexity.
Beyond these examples
These snippets focus on specific CaPoolIamMember features: non-authoritative member grants and IAM conditions for temporal access control. They’re intentionally minimal rather than complete IAM configurations.
The examples reference pre-existing infrastructure such as CA pools (by ID) and GCP project and location configuration. They focus on granting member access rather than provisioning CA pools or managing complete IAM policies.
To keep things focused, common IAM patterns are omitted, including:
- Authoritative policy management (CaPoolIamPolicy)
- Role-level binding management (CaPoolIamBinding)
- Multiple members or complex condition expressions
- Custom role definitions and project-level overrides
These omissions are intentional: the goal is to illustrate how member-level IAM grants are wired, not provide drop-in access control modules. See the CaPoolIamMember resource reference for all available configuration options.
Let's manage GCP Certificate Authority Pool IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
CaPoolIamPolicy cannot be used with CaPoolIamBinding or CaPoolIamMember because they will conflict over the policy. Use either CaPoolIamPolicy alone (authoritative) or use CaPoolIamBinding/CaPoolIamMember (non-authoritative).CaPoolIamBinding and CaPoolIamMember will conflict if they grant privileges to the same role.IAM Configuration & Roles
CaPoolIamPolicy is authoritative and replaces the entire IAM policy. CaPoolIamBinding is authoritative for a specific role, replacing all members for that role while preserving other roles. CaPoolIamMember is non-authoritative and adds a single member to a role without affecting other members.[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Member Identities & Conditions
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, or federated identities like principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com.condition property with title, description, and expression fields. For example, set expression to request.time < timestamp("2020-01-01T00:00:00Z") to expire access at a specific time.condition property.Resource Properties & Immutability
caPool, location, member, role, project, and condition. You must recreate the resource to change any of these values.