The gcp:compute/imageIamMember:ImageIamMember resource, part of the Pulumi GCP provider, grants IAM permissions on Compute Engine images to individual members without replacing existing access. This guide focuses on two capabilities: single-member permission grants and time-based access conditions.
This resource is non-authoritative, meaning it adds one member to a role without affecting other members or roles on the image. It references existing Compute Engine images and requires a configured GCP project. The examples are intentionally small. Combine them with your own image resources and identity management.
Grant image access to a single member
When sharing custom machine images across projects, you often need to grant specific users or service accounts permission to use those images without modifying the entire policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.ImageIamMember("member", {
project: example.project,
image: example.name,
role: "roles/compute.imageUser",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.ImageIamMember("member",
project=example["project"],
image=example["name"],
role="roles/compute.imageUser",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewImageIamMember(ctx, "member", &compute.ImageIamMemberArgs{
Project: pulumi.Any(example.Project),
Image: pulumi.Any(example.Name),
Role: pulumi.String("roles/compute.imageUser"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.ImageIamMember("member", new()
{
Project = example.Project,
Image = example.Name,
Role = "roles/compute.imageUser",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.ImageIamMember;
import com.pulumi.gcp.compute.ImageIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new ImageIamMember("member", ImageIamMemberArgs.builder()
.project(example.project())
.image(example.name())
.role("roles/compute.imageUser")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:ImageIamMember
properties:
project: ${example.project}
image: ${example.name}
role: roles/compute.imageUser
member: user:jane@example.com
The member property identifies who receives access, using formats like “user:jane@example.com” for individual users or “serviceAccount:app@project.iam.gserviceaccount.com” for service accounts. The role property specifies what they can do; “roles/compute.imageUser” allows launching instances from the image. The image property identifies which image to grant access to. This resource is non-authoritative, so it preserves existing members and roles on the image.
Grant time-limited image access with conditions
Organizations with compliance requirements may need temporary access that expires automatically after a specific date.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.ImageIamMember("member", {
project: example.project,
image: example.name,
role: "roles/compute.imageUser",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.ImageIamMember("member",
project=example["project"],
image=example["name"],
role="roles/compute.imageUser",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewImageIamMember(ctx, "member", &compute.ImageIamMemberArgs{
Project: pulumi.Any(example.Project),
Image: pulumi.Any(example.Name),
Role: pulumi.String("roles/compute.imageUser"),
Member: pulumi.String("user:jane@example.com"),
Condition: &compute.ImageIamMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.ImageIamMember("member", new()
{
Project = example.Project,
Image = example.Name,
Role = "roles/compute.imageUser",
Member = "user:jane@example.com",
Condition = new Gcp.Compute.Inputs.ImageIamMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.ImageIamMember;
import com.pulumi.gcp.compute.ImageIamMemberArgs;
import com.pulumi.gcp.compute.inputs.ImageIamMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new ImageIamMember("member", ImageIamMemberArgs.builder()
.project(example.project())
.image(example.name())
.role("roles/compute.imageUser")
.member("user:jane@example.com")
.condition(ImageIamMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
member:
type: gcp:compute:ImageIamMember
properties:
project: ${example.project}
image: ${example.name}
role: roles/compute.imageUser
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds time-based restrictions to the permission grant. The expression property uses CEL (Common Expression Language) to define when access is valid; here, “request.time < timestamp(…)” expires access at midnight on 2020-01-01. The title and description properties document the condition’s purpose. IAM Conditions have some limitations documented in the GCP IAM Conditions overview.
Beyond these examples
These snippets focus on specific ImageIamMember features: single-member IAM grants and time-based access conditions. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Compute Engine images and GCP projects with configured provider. They focus on granting individual permissions rather than managing complete IAM policies.
To keep things focused, common IAM patterns are omitted, including:
- Authoritative policy management (ImageIamPolicy)
- Role-level binding management (ImageIamBinding)
- Multiple members or complex condition expressions
- Custom role definitions and formats
These omissions are intentional: the goal is to illustrate how individual permission grants are wired, not provide drop-in access control modules. See the ImageIamMember resource reference for all available configuration options.
Let's manage GCP Compute Image IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
ImageIamPolicy is authoritative and replaces the entire policy. ImageIamBinding is authoritative for a specific role, preserving other roles. ImageIamMember is non-authoritative, adding a single member to a role while preserving other members.ImageIamPolicy cannot be used with ImageIamBinding or ImageIamMember as they will conflict. However, ImageIamBinding and ImageIamMember can be used together if they don’t grant privileges to the same role.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, or federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.condition property with title, description, and expression fields. For example, set expression to request.time < timestamp(\"2020-01-01T00:00:00Z\") to expire access at a specific time.Resource Management
image, member, project, role, and condition. Changes to these require recreating the resource.projects/{{project}}/global/images/{{image}} roles/compute.imageUser user:jane@example.com with space-delimited identifiers for the resource, role, and member.