The gcp:compute/instanceIAMPolicy:InstanceIAMPolicy resource, part of the Pulumi GCP provider, manages IAM policies for Compute Engine instances, controlling who can access and operate on VM instances. This guide focuses on four capabilities: authoritative policy replacement (InstanceIAMPolicy), role-level member management (InstanceIAMBinding), single-member grants (InstanceIAMMember), and time-based conditional access.
These resources attach IAM policies to existing Compute Engine instances. InstanceIAMPolicy cannot be used with InstanceIAMBinding or InstanceIAMMember because they conflict over policy ownership. InstanceIAMBinding and InstanceIAMMember can coexist if they manage different roles. The examples are intentionally small. Combine them with your own instance references and access requirements.
Replace the entire IAM policy for an instance
When you need complete control over who can access an instance, InstanceIAMPolicy replaces the entire IAM policy with your specified configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/compute.osLogin",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.compute.InstanceIAMPolicy("policy", {
project: _default.project,
zone: _default.zone,
instanceName: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/compute.osLogin",
"members": ["user:jane@example.com"],
}])
policy = gcp.compute.InstanceIAMPolicy("policy",
project=default["project"],
zone=default["zone"],
instance_name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/compute.osLogin",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewInstanceIAMPolicy(ctx, "policy", &compute.InstanceIAMPolicyArgs{
Project: pulumi.Any(_default.Project),
Zone: pulumi.Any(_default.Zone),
InstanceName: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/compute.osLogin",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Compute.InstanceIAMPolicy("policy", new()
{
Project = @default.Project,
Zone = @default.Zone,
InstanceName = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.InstanceIAMPolicy;
import com.pulumi.gcp.compute.InstanceIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/compute.osLogin")
.members("user:jane@example.com")
.build())
.build());
var policy = new InstanceIAMPolicy("policy", InstanceIAMPolicyArgs.builder()
.project(default_.project())
.zone(default_.zone())
.instanceName(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:InstanceIAMPolicy
properties:
project: ${default.project}
zone: ${default.zone}
instanceName: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/compute.osLogin
members:
- user:jane@example.com
The policyData property comes from the getIAMPolicy data source, which defines bindings between roles and members. InstanceIAMPolicy is authoritative: it removes any existing bindings not specified in your policy. The instanceName, project, and zone properties identify which instance receives the policy.
Grant a role to multiple members on an instance
When multiple users or service accounts need the same role on an instance, InstanceIAMBinding manages all members for that role together.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.InstanceIAMBinding("binding", {
project: _default.project,
zone: _default.zone,
instanceName: _default.name,
role: "roles/compute.osLogin",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.InstanceIAMBinding("binding",
project=default["project"],
zone=default["zone"],
instance_name=default["name"],
role="roles/compute.osLogin",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewInstanceIAMBinding(ctx, "binding", &compute.InstanceIAMBindingArgs{
Project: pulumi.Any(_default.Project),
Zone: pulumi.Any(_default.Zone),
InstanceName: pulumi.Any(_default.Name),
Role: pulumi.String("roles/compute.osLogin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.InstanceIAMBinding("binding", new()
{
Project = @default.Project,
Zone = @default.Zone,
InstanceName = @default.Name,
Role = "roles/compute.osLogin",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.InstanceIAMBinding;
import com.pulumi.gcp.compute.InstanceIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new InstanceIAMBinding("binding", InstanceIAMBindingArgs.builder()
.project(default_.project())
.zone(default_.zone())
.instanceName(default_.name())
.role("roles/compute.osLogin")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:InstanceIAMBinding
properties:
project: ${default.project}
zone: ${default.zone}
instanceName: ${default.name}
role: roles/compute.osLogin
members:
- user:jane@example.com
InstanceIAMBinding is authoritative for a single role: it sets the complete member list for that role while preserving other roles on the instance. The members array lists all identities that should have this role. If you remove a member from the array, they lose access.
Add a single member to an instance role
When you need to grant access to one user without affecting other members of the role, InstanceIAMMember adds a single member non-authoritatively.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.InstanceIAMMember("member", {
project: _default.project,
zone: _default.zone,
instanceName: _default.name,
role: "roles/compute.osLogin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.InstanceIAMMember("member",
project=default["project"],
zone=default["zone"],
instance_name=default["name"],
role="roles/compute.osLogin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewInstanceIAMMember(ctx, "member", &compute.InstanceIAMMemberArgs{
Project: pulumi.Any(_default.Project),
Zone: pulumi.Any(_default.Zone),
InstanceName: pulumi.Any(_default.Name),
Role: pulumi.String("roles/compute.osLogin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.InstanceIAMMember("member", new()
{
Project = @default.Project,
Zone = @default.Zone,
InstanceName = @default.Name,
Role = "roles/compute.osLogin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.InstanceIAMMember;
import com.pulumi.gcp.compute.InstanceIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new InstanceIAMMember("member", InstanceIAMMemberArgs.builder()
.project(default_.project())
.zone(default_.zone())
.instanceName(default_.name())
.role("roles/compute.osLogin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:InstanceIAMMember
properties:
project: ${default.project}
zone: ${default.zone}
instanceName: ${default.name}
role: roles/compute.osLogin
member: user:jane@example.com
InstanceIAMMember is non-authoritative: it adds one member to a role without removing other members. This lets multiple InstanceIAMMember resources manage the same role independently. Use this when different teams need to grant access without coordinating.
Apply time-based access with IAM Conditions
IAM Conditions let you grant temporary access that expires automatically, useful for contractors or time-limited projects.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/compute.osLogin",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.compute.InstanceIAMPolicy("policy", {
project: _default.project,
zone: _default.zone,
instanceName: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/compute.osLogin",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.compute.InstanceIAMPolicy("policy",
project=default["project"],
zone=default["zone"],
instance_name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/compute.osLogin",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewInstanceIAMPolicy(ctx, "policy", &compute.InstanceIAMPolicyArgs{
Project: pulumi.Any(_default.Project),
Zone: pulumi.Any(_default.Zone),
InstanceName: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/compute.osLogin",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Compute.InstanceIAMPolicy("policy", new()
{
Project = @default.Project,
Zone = @default.Zone,
InstanceName = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.InstanceIAMPolicy;
import com.pulumi.gcp.compute.InstanceIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/compute.osLogin")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new InstanceIAMPolicy("policy", InstanceIAMPolicyArgs.builder()
.project(default_.project())
.zone(default_.zone())
.instanceName(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:InstanceIAMPolicy
properties:
project: ${default.project}
zone: ${default.zone}
instanceName: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/compute.osLogin
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds constraints to role bindings. The expression property uses Common Expression Language (CEL) to define when access is valid. Here, request.time checks the current timestamp against a deadline. The title and description document the condition’s purpose. Conditions work with all three resource types (InstanceIAMPolicy, InstanceIAMBinding, InstanceIAMMember).
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, role binding and member management, and time-based conditional access. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Compute Engine instances and GCP project and zone configuration. They focus on attaching IAM policies rather than provisioning instances or defining custom roles.
To keep things focused, common IAM patterns are omitted, including:
- Resource-based conditions (beyond time-based expiration)
- Custom role definitions
- Service account impersonation
- IAM policy auditing and etag handling
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Compute Instance IAM Policy resource reference for all available configuration options.
Let's manage GCP Compute Instance IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Can I use InstanceIAMPolicy with InstanceIAMBinding or InstanceIAMMember?
No,
gcp.compute.InstanceIAMPolicy cannot be used with gcp.compute.InstanceIAMBinding or gcp.compute.InstanceIAMMember because they will conflict over the policy state.What's the difference between InstanceIAMPolicy, InstanceIAMBinding, and InstanceIAMMember?
InstanceIAMPolicy is authoritative and replaces the entire IAM policy. InstanceIAMBinding is authoritative for a specific role but preserves other roles. InstanceIAMMember is non-authoritative and preserves other members for the same role.Can I use InstanceIAMBinding with InstanceIAMMember?
Yes, but only if they don’t grant privileges to the same role. Using both for the same role causes conflicts.
IAM Conditions
What are the limitations of IAM Conditions?
IAM Conditions are supported but have known limitations. Review the GCP documentation on IAM Conditions limitations if you encounter issues.
How do I add time-based expiration to IAM policies?
Use the
condition property with title, description, and expression fields. For example, set expression to request.time < timestamp("2020-01-01T00:00:00Z") to expire access at a specific time.Configuration & Setup
How do I generate the policyData for InstanceIAMPolicy?
Use the
gcp.organizations.getIAMPolicy data source to generate policyData. Pass the resulting policy data to the policyData property.What properties can't be changed after creating an InstanceIAMPolicy?
The
instanceName, project, and zone properties are immutable and cannot be changed after creation.