The gcp:cloudfunctions/functionIamMember:FunctionIamMember resource, part of the Pulumi GCP provider, grants IAM permissions to Cloud Functions by adding individual members to roles without affecting other role assignments. This guide focuses on three approaches: adding single members to roles (FunctionIamMember), managing all members for a role (FunctionIamBinding), and replacing entire IAM policies (FunctionIamPolicy).
These three resources serve different use cases and have important compatibility constraints. FunctionIamPolicy cannot be used with FunctionIamBinding or FunctionIamMember, as they will conflict over policy ownership. FunctionIamBinding and FunctionIamMember can coexist only if they manage different roles. The examples are intentionally small. Choose the resource type that matches your access management strategy.
Grant a single user access to a function
Most deployments grant specific users or service accounts permission to invoke functions or view their configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.cloudfunctions.FunctionIamMember("member", {
project: _function.project,
region: _function.region,
cloudFunction: _function.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.cloudfunctions.FunctionIamMember("member",
project=function["project"],
region=function["region"],
cloud_function=function["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctions"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudfunctions.NewFunctionIamMember(ctx, "member", &cloudfunctions.FunctionIamMemberArgs{
Project: pulumi.Any(function.Project),
Region: pulumi.Any(function.Region),
CloudFunction: pulumi.Any(function.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CloudFunctions.FunctionIamMember("member", new()
{
Project = function.Project,
Region = function.Region,
CloudFunction = function.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudfunctions.FunctionIamMember;
import com.pulumi.gcp.cloudfunctions.FunctionIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new FunctionIamMember("member", FunctionIamMemberArgs.builder()
.project(function.project())
.region(function.region())
.cloudFunction(function.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:cloudfunctions:FunctionIamMember
properties:
project: ${function.project}
region: ${function.region}
cloudFunction: ${function.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies one identity in a standard format: user:email, serviceAccount:email, group:email, or special identifiers like allUsers. The role property sets the permission level. FunctionIamMember is non-authoritative, meaning it adds this member without removing others already assigned to the role.
Grant a role to multiple members at once
When multiple identities need the same access level, binding them together ensures they’re managed as a group.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.cloudfunctions.FunctionIamBinding("binding", {
project: _function.project,
region: _function.region,
cloudFunction: _function.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.cloudfunctions.FunctionIamBinding("binding",
project=function["project"],
region=function["region"],
cloud_function=function["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctions"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudfunctions.NewFunctionIamBinding(ctx, "binding", &cloudfunctions.FunctionIamBindingArgs{
Project: pulumi.Any(function.Project),
Region: pulumi.Any(function.Region),
CloudFunction: pulumi.Any(function.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.CloudFunctions.FunctionIamBinding("binding", new()
{
Project = function.Project,
Region = function.Region,
CloudFunction = function.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudfunctions.FunctionIamBinding;
import com.pulumi.gcp.cloudfunctions.FunctionIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new FunctionIamBinding("binding", FunctionIamBindingArgs.builder()
.project(function.project())
.region(function.region())
.cloudFunction(function.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:cloudfunctions:FunctionIamBinding
properties:
project: ${function.project}
region: ${function.region}
cloudFunction: ${function.name}
role: roles/viewer
members:
- user:jane@example.com
The members property takes a list of identities that will all receive the specified role. FunctionIamBinding is authoritative for this role, replacing any existing members for that role while preserving other roles on the function. This differs from FunctionIamMember, which adds members incrementally.
Replace the entire IAM policy for a function
Some deployments require complete control over all IAM bindings, replacing any existing policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.cloudfunctions.FunctionIamPolicy("policy", {
project: _function.project,
region: _function.region,
cloudFunction: _function.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.cloudfunctions.FunctionIamPolicy("policy",
project=function["project"],
region=function["region"],
cloud_function=function["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctions"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = cloudfunctions.NewFunctionIamPolicy(ctx, "policy", &cloudfunctions.FunctionIamPolicyArgs{
Project: pulumi.Any(function.Project),
Region: pulumi.Any(function.Region),
CloudFunction: pulumi.Any(function.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.CloudFunctions.FunctionIamPolicy("policy", new()
{
Project = function.Project,
Region = function.Region,
CloudFunction = function.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.cloudfunctions.FunctionIamPolicy;
import com.pulumi.gcp.cloudfunctions.FunctionIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new FunctionIamPolicy("policy", FunctionIamPolicyArgs.builder()
.project(function.project())
.region(function.region())
.cloudFunction(function.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:cloudfunctions:FunctionIamPolicy
properties:
project: ${function.project}
region: ${function.region}
cloudFunction: ${function.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts a complete IAM policy document, typically retrieved from getIAMPolicy. FunctionIamPolicy is fully authoritative, replacing the entire policy. This approach requires careful coordination: using it alongside FunctionIamBinding or FunctionIamMember will cause conflicts as they compete to control the policy.
Beyond these examples
These snippets focus on specific IAM management approaches: incremental member grants (FunctionIamMember), role-level binding management (FunctionIamBinding), and complete policy replacement (FunctionIamPolicy). They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Cloud Functions that need IAM configuration. They focus on granting permissions rather than provisioning the functions themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Cross-project or cross-region function references
- Custom role definitions and formatting
- Service account and federated identity configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Cloud Functions FunctionIamMember resource reference for all available configuration options.
Let's manage GCP Cloud Functions IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
FunctionIamPolicy (authoritative, replaces entire policy), FunctionIamBinding (authoritative per role, preserves other roles), or FunctionIamMember (non-authoritative, preserves other members for the role). Choose based on how much control you need over the IAM policy.FunctionIamPolicy cannot be used with FunctionIamBinding or FunctionIamMember because they will conflict over policy control. Use FunctionIamPolicy alone for full policy management, or use FunctionIamBinding/FunctionIamMember for granular control.Configuration & Identity Formats
The member property supports multiple formats:
allUsersorallAuthenticatedUsersfor public/authenticated accessuser:{email},serviceAccount:{email},group:{email}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner/Editor/Viewer:{projectid}for project-level roles- Federated identities using
principal://format
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.Immutability & Lifecycle
cloudFunction, member, project, region, and role. Changing any of these requires recreating the resource.