The gcp:cloudrunv2/jobIamPolicy:JobIamPolicy resource, part of the Pulumi GCP provider, manages IAM permissions for Cloud Run v2 jobs by setting the complete policy and replacing any existing permissions. This guide focuses on three approaches: single-member grants (JobIamMember), multi-member role bindings (JobIamBinding), and full policy replacement (JobIamPolicy).
These resources reference existing Cloud Run jobs by project, location, and name. JobIamPolicy cannot be used with JobIamBinding or JobIamMember on the same job, as they conflict over policy ownership. The examples are intentionally small. Combine them with your own job definitions and IAM strategy.
Grant a role to a single member
When you need to give one user or service account access without affecting other permissions, JobIamMember adds that single member to the role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.cloudrunv2.JobIamMember("member", {
project: _default.project,
location: _default.location,
name: _default.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.cloudrunv2.JobIamMember("member",
project=default["project"],
location=default["location"],
name=default["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewJobIamMember(ctx, "member", &cloudrunv2.JobIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CloudRunV2.JobIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.JobIamMember;
import com.pulumi.gcp.cloudrunv2.JobIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new JobIamMember("member", JobIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:cloudrunv2:JobIamMember
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies one identity (user, service account, or group) to grant the role. This resource is non-authoritative: it adds the member without removing others who already have the role. Use this when you want to incrementally grant access without managing the full member list.
Grant a role to multiple members at once
When multiple users or service accounts need the same level of access, JobIamBinding sets the complete member list for a role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.cloudrunv2.JobIamBinding("binding", {
project: _default.project,
location: _default.location,
name: _default.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.cloudrunv2.JobIamBinding("binding",
project=default["project"],
location=default["location"],
name=default["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewJobIamBinding(ctx, "binding", &cloudrunv2.JobIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.CloudRunV2.JobIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.JobIamBinding;
import com.pulumi.gcp.cloudrunv2.JobIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new JobIamBinding("binding", JobIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:cloudrunv2:JobIamBinding
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
role: roles/viewer
members:
- user:jane@example.com
The members property takes an array of identities. This resource is authoritative for the specified role: it replaces the member list for that role while preserving other roles on the job. Use this when you want to manage all members for a role in one place.
Replace the entire IAM policy with a data source
When you need complete control over all roles and members, JobIamPolicy replaces the job’s entire IAM policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.cloudrunv2.JobIamPolicy("policy", {
project: _default.project,
location: _default.location,
name: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.cloudrunv2.JobIamPolicy("policy",
project=default["project"],
location=default["location"],
name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = cloudrunv2.NewJobIamPolicy(ctx, "policy", &cloudrunv2.JobIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.CloudRunV2.JobIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.cloudrunv2.JobIamPolicy;
import com.pulumi.gcp.cloudrunv2.JobIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new JobIamPolicy("policy", JobIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:cloudrunv2:JobIamPolicy
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts output from the getIAMPolicy data source, which defines bindings (role-to-members mappings). This resource is fully authoritative: it replaces all roles and members on the job. Use this when you want centralized policy management, but be aware it cannot coexist with JobIamBinding or JobIamMember resources on the same job.
Beyond these examples
These snippets focus on specific IAM management approaches: single-member grants, multi-member role bindings, and full policy replacement. They’re intentionally minimal rather than complete access control systems.
The examples reference pre-existing infrastructure such as Cloud Run jobs (by project, location, and name). They focus on configuring IAM permissions rather than provisioning the jobs themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Service account creation and management
- Custom role definitions
- Policy conflict resolution between resource types
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Cloud Run Job IAM Policy resource reference for all available configuration options.
Let's manage GCP Cloud Run Job IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Three resources manage IAM policies with different behaviors:
- JobIamPolicy - Authoritative. Replaces the entire IAM policy for the job.
- JobIamBinding - Authoritative for a given role. Grants a role to a list of members while preserving other roles.
- JobIamMember - Non-authoritative. Adds a single member to a role while preserving other members.
JobIamPolicy cannot be used with JobIamBinding or JobIamMember because they will conflict over the policy. Use JobIamPolicy alone for full control, or use JobIamBinding and JobIamMember together.Configuration & Usage
JobIamPolicy with policyData generated by the gcp.organizations.getIAMPolicy data source. The example shows granting roles/viewer to user:jane@example.com.JobIamMember, which is non-authoritative and preserves existing members. Specify the role and member properties as shown in the example.gcp.organizations.getIAMPolicy data source with bindings that specify roles and members, then pass the resulting policyData to JobIamPolicy.Properties & Immutability
location, name, and project properties are all immutable and cannot be changed after creation.