The gcp:cloudfunctions/functionIamPolicy:FunctionIamPolicy resource, part of the Pulumi GCP provider, manages IAM permissions for Cloud Functions at three levels: entire policy replacement (FunctionIamPolicy), role-level grants (FunctionIamBinding), or individual member grants (FunctionIamMember). This guide focuses on three capabilities: authoritative policy replacement, role-level member lists, and incremental member grants.
All three resources reference an existing Cloud Function by name, project, and region. The examples are intentionally small. Combine them with your own function definitions and organizational IAM structure.
Replace the entire IAM policy with FunctionIamPolicy
When you need complete control over all IAM permissions for a Cloud Function, FunctionIamPolicy replaces the entire policy in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.cloudfunctions.FunctionIamPolicy("policy", {
project: _function.project,
region: _function.region,
cloudFunction: _function.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.cloudfunctions.FunctionIamPolicy("policy",
project=function["project"],
region=function["region"],
cloud_function=function["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctions"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = cloudfunctions.NewFunctionIamPolicy(ctx, "policy", &cloudfunctions.FunctionIamPolicyArgs{
Project: pulumi.Any(function.Project),
Region: pulumi.Any(function.Region),
CloudFunction: pulumi.Any(function.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.CloudFunctions.FunctionIamPolicy("policy", new()
{
Project = function.Project,
Region = function.Region,
CloudFunction = function.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.cloudfunctions.FunctionIamPolicy;
import com.pulumi.gcp.cloudfunctions.FunctionIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new FunctionIamPolicy("policy", FunctionIamPolicyArgs.builder()
.project(function.project())
.region(function.region())
.cloudFunction(function.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:cloudfunctions:FunctionIamPolicy
properties:
project: ${function.project}
region: ${function.region}
cloudFunction: ${function.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts output from getIAMPolicy, which defines bindings (role-to-members mappings). FunctionIamPolicy is authoritative: it removes any existing IAM bindings not included in the policy document. The cloudFunction property identifies which function to update. This approach cannot be combined with FunctionIamBinding or FunctionIamMember, as they would conflict over policy ownership.
Grant a role to multiple members with FunctionIamBinding
Teams often need to grant the same role to multiple users or service accounts while preserving other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.cloudfunctions.FunctionIamBinding("binding", {
project: _function.project,
region: _function.region,
cloudFunction: _function.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.cloudfunctions.FunctionIamBinding("binding",
project=function["project"],
region=function["region"],
cloud_function=function["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctions"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudfunctions.NewFunctionIamBinding(ctx, "binding", &cloudfunctions.FunctionIamBindingArgs{
Project: pulumi.Any(function.Project),
Region: pulumi.Any(function.Region),
CloudFunction: pulumi.Any(function.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.CloudFunctions.FunctionIamBinding("binding", new()
{
Project = function.Project,
Region = function.Region,
CloudFunction = function.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudfunctions.FunctionIamBinding;
import com.pulumi.gcp.cloudfunctions.FunctionIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new FunctionIamBinding("binding", FunctionIamBindingArgs.builder()
.project(function.project())
.region(function.region())
.cloudFunction(function.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:cloudfunctions:FunctionIamBinding
properties:
project: ${function.project}
region: ${function.region}
cloudFunction: ${function.name}
role: roles/viewer
members:
- user:jane@example.com
FunctionIamBinding is authoritative for a single role: it replaces all members for that role but leaves other roles untouched. The members property accepts a list of identities (users, service accounts, groups). You can use multiple FunctionIamBinding resources for different roles, or combine them with FunctionIamMember resources as long as they don’t target the same role.
Add a single member to a role with FunctionIamMember
When you need to grant access to one user or service account without affecting existing members, FunctionIamMember adds incrementally.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.cloudfunctions.FunctionIamMember("member", {
project: _function.project,
region: _function.region,
cloudFunction: _function.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.cloudfunctions.FunctionIamMember("member",
project=function["project"],
region=function["region"],
cloud_function=function["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctions"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudfunctions.NewFunctionIamMember(ctx, "member", &cloudfunctions.FunctionIamMemberArgs{
Project: pulumi.Any(function.Project),
Region: pulumi.Any(function.Region),
CloudFunction: pulumi.Any(function.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CloudFunctions.FunctionIamMember("member", new()
{
Project = function.Project,
Region = function.Region,
CloudFunction = function.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudfunctions.FunctionIamMember;
import com.pulumi.gcp.cloudfunctions.FunctionIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new FunctionIamMember("member", FunctionIamMemberArgs.builder()
.project(function.project())
.region(function.region())
.cloudFunction(function.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:cloudfunctions:FunctionIamMember
properties:
project: ${function.project}
region: ${function.region}
cloudFunction: ${function.name}
role: roles/viewer
member: user:jane@example.com
FunctionIamMember is non-authoritative: it adds one member to a role without removing other members. The member property specifies a single identity. This is the most granular approach and can be combined with FunctionIamBinding for different roles. Use this when you want to grant access without coordinating with other teams managing the same function’s IAM policy.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, and policy-level, role-level, and member-level grants. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Cloud Functions (by name, project, region). They focus on IAM policy configuration rather than provisioning the functions themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Service account impersonation
- Custom role definitions
- Audit logging configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Cloud Functions FunctionIamPolicy resource reference for all available configuration options.
Let's manage GCP Cloud Functions IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
FunctionIamPolicy is authoritative and replaces the entire IAM policy. FunctionIamBinding is authoritative for a specific role, preserving other roles. FunctionIamMember is non-authoritative and adds a single member without affecting other members for that role.FunctionIamPolicy cannot be used alongside FunctionIamBinding or FunctionIamMember because they will conflict over the IAM policy state.Configuration & Defaults
gcp.organizations.getIAMPolicy data source to generate policyData, as shown in the example.project and region default to the provider configuration if not specified. They can also be parsed from the parent resource identifier.Immutability & Updates
cloudFunction, project, and region properties are immutable. Changing them requires recreating the resource.