Manage GCP Compute Disk IAM Policies

The gcp:compute/diskIamPolicy:DiskIamPolicy resource, part of the Pulumi GCP provider, manages IAM access control for Compute Engine disks. This guide focuses on three approaches: authoritative policy replacement (DiskIamPolicy), role-level binding management (DiskIamBinding), and incremental member grants (DiskIamMember).

These resources reference existing Compute Engine disks and require project/zone configuration. The examples are intentionally small. Combine them with your own disk resources and organizational IAM structure.

Replace the entire IAM policy for a disk

When you need complete control over disk access, you can set the entire IAM policy at once, replacing any existing permissions.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const admin = gcp.organizations.getIAMPolicy({
    bindings: [{
        role: "roles/viewer",
        members: ["user:jane@example.com"],
    }],
});
const policy = new gcp.compute.DiskIamPolicy("policy", {
    project: _default.project,
    zone: _default.zone,
    name: _default.name,
    policyData: admin.then(admin => admin.policyData),
});

import pulumi
import pulumi_gcp as gcp

admin = gcp.organizations.get_iam_policy(bindings=[{
    "role": "roles/viewer",
    "members": ["user:jane@example.com"],
}])
policy = gcp.compute.DiskIamPolicy("policy",
    project=default["project"],
    zone=default["zone"],
    name=default["name"],
    policy_data=admin.policy_data)

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
			Bindings: []organizations.GetIAMPolicyBinding{
				{
					Role: "roles/viewer",
					Members: []string{
						"user:jane@example.com",
					},
				},
			},
		}, nil)
		if err != nil {
			return err
		}
		_, err = compute.NewDiskIamPolicy(ctx, "policy", &compute.DiskIamPolicyArgs{
			Project:    pulumi.Any(_default.Project),
			Zone:       pulumi.Any(_default.Zone),
			Name:       pulumi.Any(_default.Name),
			PolicyData: pulumi.String(admin.PolicyData),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
    {
        Bindings = new[]
        {
            new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
            {
                Role = "roles/viewer",
                Members = new[]
                {
                    "user:jane@example.com",
                },
            },
        },
    });

    var policy = new Gcp.Compute.DiskIamPolicy("policy", new()
    {
        Project = @default.Project,
        Zone = @default.Zone,
        Name = @default.Name,
        PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.DiskIamPolicy;
import com.pulumi.gcp.compute.DiskIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
            .bindings(GetIAMPolicyBindingArgs.builder()
                .role("roles/viewer")
                .members("user:jane@example.com")
                .build())
            .build());

        var policy = new DiskIamPolicy("policy", DiskIamPolicyArgs.builder()
            .project(default_.project())
            .zone(default_.zone())
            .name(default_.name())
            .policyData(admin.policyData())
            .build());

    }
}

resources:
  policy:
    type: gcp:compute:DiskIamPolicy
    properties:
      project: ${default.project}
      zone: ${default.zone}
      name: ${default.name}
      policyData: ${admin.policyData}
variables:
  admin:
    fn::invoke:
      function: gcp:organizations:getIAMPolicy
      arguments:
        bindings:
          - role: roles/viewer
            members:
              - user:jane@example.com

The DiskIamPolicy resource is authoritative: it replaces the disk’s entire IAM policy with the one you provide. The policyData comes from the getIAMPolicy data source, which generates properly formatted policy JSON from your bindings. This approach gives you full control but requires you to declare all roles and members explicitly.

Grant a role to multiple members at once

Teams often need to grant the same role to several users or service accounts without affecting other roles on the disk.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.compute.DiskIamBinding("binding", {
    project: _default.project,
    zone: _default.zone,
    name: _default.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.compute.DiskIamBinding("binding",
    project=default["project"],
    zone=default["zone"],
    name=default["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewDiskIamBinding(ctx, "binding", &compute.DiskIamBindingArgs{
			Project: pulumi.Any(_default.Project),
			Zone:    pulumi.Any(_default.Zone),
			Name:    pulumi.Any(_default.Name),
			Role:    pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Compute.DiskIamBinding("binding", new()
    {
        Project = @default.Project,
        Zone = @default.Zone,
        Name = @default.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.DiskIamBinding;
import com.pulumi.gcp.compute.DiskIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new DiskIamBinding("binding", DiskIamBindingArgs.builder()
            .project(default_.project())
            .zone(default_.zone())
            .name(default_.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:compute:DiskIamBinding
    properties:
      project: ${default.project}
      zone: ${default.zone}
      name: ${default.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The DiskIamBinding resource is authoritative for a single role: it sets the complete member list for that role while preserving other roles on the disk. The members array can include users, service accounts, groups, or domains. Unlike DiskIamPolicy, you can use multiple DiskIamBinding resources on the same disk as long as they manage different roles.

Add a single member to a role incrementally

When multiple teams manage disk access, you often need to add individual members without coordinating with other teams or overwriting their grants.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.compute.DiskIamMember("member", {
    project: _default.project,
    zone: _default.zone,
    name: _default.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.compute.DiskIamMember("member",
    project=default["project"],
    zone=default["zone"],
    name=default["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewDiskIamMember(ctx, "member", &compute.DiskIamMemberArgs{
			Project: pulumi.Any(_default.Project),
			Zone:    pulumi.Any(_default.Zone),
			Name:    pulumi.Any(_default.Name),
			Role:    pulumi.String("roles/viewer"),
			Member:  pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Compute.DiskIamMember("member", new()
    {
        Project = @default.Project,
        Zone = @default.Zone,
        Name = @default.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.DiskIamMember;
import com.pulumi.gcp.compute.DiskIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new DiskIamMember("member", DiskIamMemberArgs.builder()
            .project(default_.project())
            .zone(default_.zone())
            .name(default_.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:compute:DiskIamMember
    properties:
      project: ${default.project}
      zone: ${default.zone}
      name: ${default.name}
      role: roles/viewer
      member: user:jane@example.com

The DiskIamMember resource is non-authoritative: it adds one member to one role without affecting other members for that role. This is the safest approach when multiple Pulumi stacks or teams manage access to the same disk. You can combine DiskIamMember with DiskIamBinding as long as they don’t grant the same role.

Beyond these examples

These snippets focus on specific IAM management approaches: authoritative vs non-authoritative management, role-based access control, and policy data generation. They’re intentionally minimal rather than full access control systems.

The examples reference pre-existing infrastructure such as Compute Engine disks and GCP project and zone configuration. They focus on IAM policy configuration rather than provisioning the underlying disk resources.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (attribute-based access)
Custom role definitions
Service account creation and management
Audit logging configuration

These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Disk IAM Policy resource reference for all available configuration options.

Let's manage GCP Compute Disk IAM Policies

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between DiskIamPolicy, DiskIamBinding, and DiskIamMember?

DiskIamPolicy is authoritative and replaces the entire IAM policy. DiskIamBinding is authoritative for a specific role but preserves other roles. DiskIamMember is non-authoritative and adds individual members while preserving existing members for that role.

Can I use DiskIamPolicy with other disk IAM resources?

No, DiskIamPolicy cannot be used with DiskIamBinding or DiskIamMember because they will conflict over policy management.

Can I use DiskIamBinding and DiskIamMember together?

Yes, but only if they manage different roles. Using both for the same role will cause conflicts.

Policy Management

How do I generate the policyData for DiskIamPolicy?

Use the gcp.organizations.getIAMPolicy data source to generate policyData, as shown in the example.

What happens to existing IAM policies when I create a DiskIamPolicy?

DiskIamPolicy replaces any existing policy already attached to the disk.

Configuration & Setup

What properties are immutable after creation?

The name, project, and zone properties are all immutable and cannot be changed after creation.

Do I need to specify project and zone explicitly?

Not necessarily. Both project and zone can be parsed from the parent disk identifier or taken from provider configuration if not specified.

Import & Migration

What import formats are supported for disk IAM resources?

Four formats are supported: projects/{{project}}/zones/{{zone}}/disks/{{name}}, {{project}}/{{zone}}/{{name}}, {{zone}}/{{name}}, or just {{name}}. Variables not in the import command are taken from provider configuration.

How do I import a disk with a custom IAM role?

Use the full name format: [projects/my-project|organizations/my-org]/roles/my-custom-role.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides