The gcp:cloudrunv2/serviceIamMember:ServiceIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Cloud Run v2 services by adding individual members to roles. This guide focuses on three capabilities: single-member role grants, role-level member management, and complete policy replacement.
Cloud Run IAM resources reference existing services and require valid member identifiers. The examples are intentionally small. Combine them with your own service definitions and identity management.
Grant a role to a single member
Most IAM configurations start by granting a specific role to one user or service account without affecting other members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.cloudrunv2.ServiceIamMember("member", {
project: _default.project,
location: _default.location,
name: _default.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.cloudrunv2.ServiceIamMember("member",
project=default["project"],
location=default["location"],
name=default["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewServiceIamMember(ctx, "member", &cloudrunv2.ServiceIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.CloudRunV2.ServiceIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.ServiceIamMember;
import com.pulumi.gcp.cloudrunv2.ServiceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new ServiceIamMember("member", ServiceIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:cloudrunv2:ServiceIamMember
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
role: roles/viewer
member: user:jane@example.com
ServiceIamMember is non-authoritative: it adds one member to a role while preserving existing assignments. The member property accepts user emails, service account emails, groups, domains, or special identifiers like “allUsers”. The role property specifies a predefined or custom role. This resource references the service by name, location, and project.
Grant a role to multiple members at once
When multiple users need the same permissions, ServiceIamBinding manages the complete member list for a role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.cloudrunv2.ServiceIamBinding("binding", {
project: _default.project,
location: _default.location,
name: _default.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.cloudrunv2.ServiceIamBinding("binding",
project=default["project"],
location=default["location"],
name=default["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := cloudrunv2.NewServiceIamBinding(ctx, "binding", &cloudrunv2.ServiceIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.CloudRunV2.ServiceIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.cloudrunv2.ServiceIamBinding;
import com.pulumi.gcp.cloudrunv2.ServiceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new ServiceIamBinding("binding", ServiceIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:cloudrunv2:ServiceIamBinding
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
role: roles/viewer
members:
- user:jane@example.com
ServiceIamBinding is authoritative for the specified role: it replaces any existing members with the provided list. The members property accepts an array of identity strings. This approach works well when you want to define all members for a role in one place, but conflicts with ServiceIamMember if both try to manage the same role.
Replace the entire IAM policy
ServiceIamPolicy sets the complete IAM policy for a service, replacing any existing policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.cloudrunv2.ServiceIamPolicy("policy", {
project: _default.project,
location: _default.location,
name: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.cloudrunv2.ServiceIamPolicy("policy",
project=default["project"],
location=default["location"],
name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/cloudrunv2"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = cloudrunv2.NewServiceIamPolicy(ctx, "policy", &cloudrunv2.ServiceIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
Name: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.CloudRunV2.ServiceIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
Name = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.cloudrunv2.ServiceIamPolicy;
import com.pulumi.gcp.cloudrunv2.ServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new ServiceIamPolicy("policy", ServiceIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.name(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:cloudrunv2:ServiceIamPolicy
properties:
project: ${default.project}
location: ${default.location}
name: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
This resource is fully authoritative: it replaces the entire IAM policy with the provided bindings. The policyData property comes from the getIAMPolicy data source, which defines roles and their members. Use this approach only when you need complete control over all roles and members. ServiceIamPolicy conflicts with both ServiceIamBinding and ServiceIamMember; they cannot be used together on the same service.
Beyond these examples
These snippets focus on specific IAM management approaches: single-member grants (ServiceIamMember), role-level member lists (ServiceIamBinding), and complete policy replacement (ServiceIamPolicy). They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Cloud Run v2 services. They focus on configuring IAM permissions rather than provisioning the services themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Service account creation and management
- Workload identity federation setup
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Cloud Run v2 ServiceIamMember resource reference for all available configuration options.
Let's manage GCP Cloud Run Service IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
ServiceIamPolicy sets the entire IAM policy (authoritative and replaces existing policies), ServiceIamBinding manages all members for a specific role (authoritative per role, preserves other roles), or ServiceIamMember adds individual members to a role (non-authoritative, preserves other members).ServiceIamPolicy cannot be used with ServiceIamBinding or ServiceIamMember because they will conflict over the IAM policy configuration.Configuration & Identity Formats
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.location, name, project, role, member, and condition cannot be changed after the resource is created.Import & Advanced Usage
pulumi import gcp:cloudrunv2/serviceIamMember:ServiceIamMember editor "projects/{{project}}/locations/{{location}}/services/{{service}} roles/viewer user:jane@example.com".