Configure GCP Cloud Run Job IAM Bindings

The gcp:cloudrunv2/jobIamBinding:JobIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud Run v2 jobs. This resource is authoritative for a given role, meaning it controls the complete list of members who have that role while preserving other roles on the job. This guide focuses on two capabilities: authoritative role binding for multiple members and non-authoritative member addition.

IAM bindings reference existing Cloud Run jobs and require valid GCP projects and locations. The examples are intentionally small. Combine them with your own job resources and identity management strategy.

Grant a role to multiple members with JobIamBinding

Teams managing Cloud Run jobs often need to grant the same role to multiple users or service accounts.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.cloudrunv2.JobIamBinding("binding", {
    project: _default.project,
    location: _default.location,
    name: _default.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.cloudrunv2.JobIamBinding("binding",
    project=default["project"],
    location=default["location"],
    name=default["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudrunv2.NewJobIamBinding(ctx, "binding", &cloudrunv2.JobIamBindingArgs{
			Project:  pulumi.Any(_default.Project),
			Location: pulumi.Any(_default.Location),
			Name:     pulumi.Any(_default.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.CloudRunV2.JobIamBinding("binding", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        Name = @default.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.JobIamBinding;
import com.pulumi.gcp.cloudrunv2.JobIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new JobIamBinding("binding", JobIamBindingArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .name(default_.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:cloudrunv2:JobIamBinding
    properties:
      project: ${default.project}
      location: ${default.location}
      name: ${default.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The role property specifies which permission set to grant (e.g., “roles/viewer”). The members array lists all identities that should have this role. JobIamBinding is authoritative for the specified role, meaning it replaces any existing members for that role while preserving other roles on the job. The project, location, and name properties identify which Cloud Run job to bind the policy to.

Add a single member to a role with JobIamMember

When you need to grant access to one additional user without affecting existing members, JobIamMember adds incrementally.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.cloudrunv2.JobIamMember("member", {
    project: _default.project,
    location: _default.location,
    name: _default.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.cloudrunv2.JobIamMember("member",
    project=default["project"],
    location=default["location"],
    name=default["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := cloudrunv2.NewJobIamMember(ctx, "member", &cloudrunv2.JobIamMemberArgs{
			Project:  pulumi.Any(_default.Project),
			Location: pulumi.Any(_default.Location),
			Name:     pulumi.Any(_default.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.CloudRunV2.JobIamMember("member", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        Name = @default.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.JobIamMember;
import com.pulumi.gcp.cloudrunv2.JobIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new JobIamMember("member", JobIamMemberArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .name(default_.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:cloudrunv2:JobIamMember
    properties:
      project: ${default.project}
      location: ${default.location}
      name: ${default.name}
      role: roles/viewer
      member: user:jane@example.com

The member property specifies a single identity to add to the role. Unlike JobIamBinding, JobIamMember is non-authoritative: it adds one member without replacing existing members for that role. This approach works well when multiple teams manage access independently, as each can add their own members without coordinating changes.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Cloud Run v2 jobs and GCP projects and locations. They focus on configuring IAM bindings rather than provisioning the underlying job resources.

To keep things focused, common IAM patterns are omitted, including:

  • Conditional IAM bindings (condition property)
  • Policy-level management (JobIamPolicy resource)
  • Custom role definitions
  • Federated identity configuration

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the Cloud Run v2 Job IAM Binding resource reference for all available configuration options.

Let's configure GCP Cloud Run Job IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
What's the difference between JobIamPolicy, JobIamBinding, and JobIamMember?
JobIamPolicy is authoritative and replaces the entire IAM policy. JobIamBinding is authoritative for a specific role but preserves other roles. JobIamMember is non-authoritative and preserves other members for the same role.
Which IAM resources can I use together?
You cannot use JobIamPolicy with JobIamBinding or JobIamMember, as they will conflict. You can use JobIamBinding with JobIamMember only if they grant different roles.
When should I use JobIamBinding vs JobIamMember?
Use JobIamBinding when you want to manage all members for a specific role. Use JobIamMember when you want to grant access to individual members without affecting other members of the same role.
Configuration & Member Formats
What member identity formats are supported?

Supported formats include:

  • allUsers and allAuthenticatedUsers for public/authenticated access
  • user:{email}, serviceAccount:{email}, group:{email} for specific identities
  • domain:{domain} for G Suite domains
  • projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid} for project roles
  • Federated identities using principal:// format
How do I specify custom roles?
Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.
How do I grant access to a single user?
Use JobIamMember with member set to user:{email}, such as user:jane@example.com.
Immutability & Constraints
What properties can't be changed after creation?
The location, name, project, and role properties are all immutable and cannot be changed after the resource is created.
Can I use multiple JobIamBinding resources for the same role?
No, only one JobIamBinding can be used per role. If you need to add individual members to a role, use JobIamMember instead.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides