The gcp:cloudfunctionsv2/functionIamBinding:FunctionIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud Functions (2nd gen), controlling which identities can access or invoke functions. This guide focuses on two capabilities: authoritative role binding that replaces all members for a role, and non-authoritative member addition that preserves existing members.
IAM bindings reference existing Cloud Functions and grant access to users, service accounts, or groups. The examples are intentionally small. Combine them with your own function definitions and identity management.
Note that FunctionIamBinding is authoritative for a given role, meaning it replaces the complete member list for that role. It can be used alongside FunctionIamMember resources only if they manage different roles. FunctionIamPolicy cannot be used with either FunctionIamBinding or FunctionIamMember, as they will conflict over policy state.
Grant a role to multiple members at once
When managing team access, you often need to assign the same role to multiple users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.cloudfunctionsv2.FunctionIamBinding("binding", {
project: _function.project,
location: _function.location,
cloudFunction: _function.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.cloudfunctionsv2.FunctionIamBinding("binding",
project=function["project"],
location=function["location"],
cloud_function=function["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctionsv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudfunctionsv2.NewFunctionIamBinding(ctx, "binding", &cloudfunctionsv2.FunctionIamBindingArgs{
Project: pulumi.Any(function.Project),
Location: pulumi.Any(function.Location),
CloudFunction: pulumi.Any(function.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.CloudFunctionsV2.FunctionIamBinding("binding", new()
{
Project = function.Project,
Location = function.Location,
CloudFunction = function.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudfunctionsv2.FunctionIamBinding;
import com.pulumi.gcp.cloudfunctionsv2.FunctionIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new FunctionIamBinding("binding", FunctionIamBindingArgs.builder()
.project(function.project())
.location(function.location())
.cloudFunction(function.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:cloudfunctionsv2:FunctionIamBinding
properties:
project: ${function.project}
location: ${function.location}
cloudFunction: ${function.name}
role: roles/viewer
members:
- user:jane@example.com
The role property specifies which permission set to grant (e.g., “roles/viewer” for read-only access). The members array lists all identities that should have this role; this resource replaces any existing members for this role on the function. The cloudFunction, project, and location properties identify which function to configure.
Add a single member to a role incrementally
When onboarding individual users, you can add them to a role without affecting existing members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.cloudfunctionsv2.FunctionIamMember("member", {
project: _function.project,
location: _function.location,
cloudFunction: _function.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.cloudfunctionsv2.FunctionIamMember("member",
project=function["project"],
location=function["location"],
cloud_function=function["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudfunctionsv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudfunctionsv2.NewFunctionIamMember(ctx, "member", &cloudfunctionsv2.FunctionIamMemberArgs{
Project: pulumi.Any(function.Project),
Location: pulumi.Any(function.Location),
CloudFunction: pulumi.Any(function.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CloudFunctionsV2.FunctionIamMember("member", new()
{
Project = function.Project,
Location = function.Location,
CloudFunction = function.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudfunctionsv2.FunctionIamMember;
import com.pulumi.gcp.cloudfunctionsv2.FunctionIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new FunctionIamMember("member", FunctionIamMemberArgs.builder()
.project(function.project())
.location(function.location())
.cloudFunction(function.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:cloudfunctionsv2:FunctionIamMember
properties:
project: ${function.project}
location: ${function.location}
cloudFunction: ${function.name}
role: roles/viewer
member: user:jane@example.com
FunctionIamMember is non-authoritative: it adds one member to a role while preserving other members who already have that role. Use member (singular) instead of members (array) to specify the identity. This approach works well when multiple teams manage access independently, as each can add their own members without coordinating on the complete member list.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as Cloud Functions (2nd gen) functions and a GCP project with appropriate IAM permissions. They focus on configuring access rather than provisioning functions or managing identities.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (FunctionIamPolicy resource)
- Custom role definitions
- Service account creation and management
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the Cloud Functions FunctionIamBinding resource reference for all available configuration options.
Let's configure GCP Cloud Functions IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
FunctionIamPolicy is authoritative and replaces the entire IAM policy. FunctionIamBinding is authoritative for a specific role, preserving other roles in the policy. FunctionIamMember is non-authoritative, adding a single member to a role while preserving other members.FunctionIamPolicy cannot be used with FunctionIamBinding or FunctionIamMember because they will conflict over the policy.Configuration & Identity Formats
The members property supports multiple formats:
allUsersandallAuthenticatedUsersfor public/authenticated accessuser:{email},serviceAccount:{email},group:{email}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner/Editor/Viewer:{projectid}for project-level roles- Federated identities using
principal://format
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role.FunctionIamBinding can be used per role. If you need to add multiple members to the same role, list them all in the members array of a single binding, or use FunctionIamMember resources instead.Immutability & Limitations
cloudFunction, location, project, role, and condition. Changing any of these requires recreating the resource.