The gcp:cloudrunv2/jobIamPolicy:JobIamPolicy resource, part of the Pulumi GCP provider, manages IAM permissions for Cloud Run v2 jobs, controlling who can invoke, view, or administer job executions. This guide focuses on three approaches: authoritative policy replacement, role-level member assignment, and incremental member addition.
IAM management for Cloud Run jobs comes in three forms: JobIamPolicy (replaces the entire policy), JobIamBinding (manages all members for one role), and JobIamMember (adds individual members). JobIamPolicy cannot be used alongside JobIamBinding or JobIamMember, as they conflict over policy ownership. JobIamBinding and JobIamMember can coexist if they manage different roles. The examples are intentionally small. Combine them with your own job definitions and organizational access patterns.
Replace the entire IAM policy for a job
When you need complete control over job permissions, you can set the entire IAM policy at once, replacing any existing access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.cloudrunv2.JobIamPolicy("policy", {
project: _default.project,
location: _default.location,
name: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.cloudrunv2.JobIamPolicy("policy",
project=default["project"],
location=default["location"],
name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = cloudrunv2.NewJobIamPolicy(ctx, "policy", &cloudrunv2.JobIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.CloudRunV2.JobIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.cloudrunv2.JobIamPolicy;
import com.pulumi.gcp.cloudrunv2.JobIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new JobIamPolicy("policy", JobIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:cloudrunv2:JobIamPolicy
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The JobIamPolicy resource takes policyData from the getIAMPolicy data source, which defines bindings (role-to-members mappings). This approach is authoritative: it replaces the job’s entire IAM policy, removing any permissions not explicitly listed. Use this when you want to define all access in one place.
Grant a role to multiple members at once
Teams often assign the same role to several users or service accounts without affecting other roles on the job.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.cloudrunv2.JobIamBinding("binding", {
project: _default.project,
location: _default.location,
name: _default.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.cloudrunv2.JobIamBinding("binding",
project=default["project"],
location=default["location"],
name=default["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewJobIamBinding(ctx, "binding", &cloudrunv2.JobIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.CloudRunV2.JobIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.JobIamBinding;
import com.pulumi.gcp.cloudrunv2.JobIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new JobIamBinding("binding", JobIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:cloudrunv2:JobIamBinding
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
role: roles/viewer
members:
- user:jane@example.com
The JobIamBinding resource grants a single role to a list of members. It’s authoritative for that specific role, meaning it replaces all members currently assigned to that role while preserving other roles. Use this when you manage a team’s access to one role as a group.
Add a single member to a role incrementally
When you want to grant access to one user without disturbing existing permissions, add individual members one at a time.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.cloudrunv2.JobIamMember("member", {
project: _default.project,
location: _default.location,
name: _default.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.cloudrunv2.JobIamMember("member",
project=default["project"],
location=default["location"],
name=default["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewJobIamMember(ctx, "member", &cloudrunv2.JobIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CloudRunV2.JobIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.JobIamMember;
import com.pulumi.gcp.cloudrunv2.JobIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new JobIamMember("member", JobIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:cloudrunv2:JobIamMember
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
role: roles/viewer
member: user:jane@example.com
The JobIamMember resource is non-authoritative: it adds one member to a role without affecting other members already assigned. Use this when you need to grant access incrementally, such as onboarding new team members or granting service account permissions.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs incremental IAM management, and policy-level, role-level, and member-level control. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Cloud Run v2 jobs (by project, location, and name). They focus on IAM configuration rather than job provisioning.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition blocks)
- Service account impersonation
- Custom role definitions
- IAM policy retrieval (data source usage)
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Cloud Run v2 Job IAM Policy resource reference for all available configuration options.
Let's manage GCP Cloud Run Job IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Choose based on your needs:
- JobIamPolicy - Authoritative. Replaces the entire IAM policy.
- JobIamBinding - Authoritative for a specific role. Preserves other roles.
- JobIamMember - Non-authoritative. Adds a single member to a role, preserving other members.
JobIamPolicy cannot be used with JobIamBinding or JobIamMember because they will conflict over the policy.Configuration & Setup
gcp.organizations.getIAMPolicy data source to generate policyData, as shown in the example.location, name, and project properties are all immutable and used to identify the parent Cloud Run job.