Manage GCP Compute Instance IAM Access

The gcp:compute/instanceIAMMember:InstanceIAMMember resource, part of the Pulumi GCP provider, grants IAM roles to individual members on Compute Engine instances without affecting other members or roles. This guide focuses on two capabilities: single-member role grants and time-based access with IAM Conditions.

This resource is non-authoritative, meaning it adds one member to a role without removing existing members. It references existing Compute Engine instances and requires project and zone configuration. The examples are intentionally small. Combine them with your own instance references and identity management.

Grant a role to a single member

Most IAM configurations start by granting a specific role to one user or service account, preserving existing permissions.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.compute.InstanceIAMMember("member", {
    project: _default.project,
    zone: _default.zone,
    instanceName: _default.name,
    role: "roles/compute.osLogin",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.compute.InstanceIAMMember("member",
    project=default["project"],
    zone=default["zone"],
    instance_name=default["name"],
    role="roles/compute.osLogin",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewInstanceIAMMember(ctx, "member", &compute.InstanceIAMMemberArgs{
			Project:      pulumi.Any(_default.Project),
			Zone:         pulumi.Any(_default.Zone),
			InstanceName: pulumi.Any(_default.Name),
			Role:         pulumi.String("roles/compute.osLogin"),
			Member:       pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Compute.InstanceIAMMember("member", new()
    {
        Project = @default.Project,
        Zone = @default.Zone,
        InstanceName = @default.Name,
        Role = "roles/compute.osLogin",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.InstanceIAMMember;
import com.pulumi.gcp.compute.InstanceIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new InstanceIAMMember("member", InstanceIAMMemberArgs.builder()
            .project(default_.project())
            .zone(default_.zone())
            .instanceName(default_.name())
            .role("roles/compute.osLogin")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:compute:InstanceIAMMember
    properties:
      project: ${default.project}
      zone: ${default.zone}
      instanceName: ${default.name}
      role: roles/compute.osLogin
      member: user:jane@example.com

The member property specifies the identity receiving access, using formats like “user:email@example.com” or “serviceAccount:name@project.iam.gserviceaccount.com”. The role property defines the permission set, such as “roles/compute.osLogin” for SSH access. The instanceName, project, and zone properties identify the target instance. This resource adds the member without affecting other members who already have this role or other roles on the instance.

Grant time-limited access with IAM Conditions

Teams often need temporary access that expires automatically, such as contractor access or time-boxed troubleshooting.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.compute.InstanceIAMMember("member", {
    project: _default.project,
    zone: _default.zone,
    instanceName: _default.name,
    role: "roles/compute.osLogin",
    member: "user:jane@example.com",
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp

member = gcp.compute.InstanceIAMMember("member",
    project=default["project"],
    zone=default["zone"],
    instance_name=default["name"],
    role="roles/compute.osLogin",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := compute.NewInstanceIAMMember(ctx, "member", &compute.InstanceIAMMemberArgs{
			Project:      pulumi.Any(_default.Project),
			Zone:         pulumi.Any(_default.Zone),
			InstanceName: pulumi.Any(_default.Name),
			Role:         pulumi.String("roles/compute.osLogin"),
			Member:       pulumi.String("user:jane@example.com"),
			Condition: &compute.InstanceIAMMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Compute.InstanceIAMMember("member", new()
    {
        Project = @default.Project,
        Zone = @default.Zone,
        InstanceName = @default.Name,
        Role = "roles/compute.osLogin",
        Member = "user:jane@example.com",
        Condition = new Gcp.Compute.Inputs.InstanceIAMMemberConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.InstanceIAMMember;
import com.pulumi.gcp.compute.InstanceIAMMemberArgs;
import com.pulumi.gcp.compute.inputs.InstanceIAMMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new InstanceIAMMember("member", InstanceIAMMemberArgs.builder()
            .project(default_.project())
            .zone(default_.zone())
            .instanceName(default_.name())
            .role("roles/compute.osLogin")
            .member("user:jane@example.com")
            .condition(InstanceIAMMemberConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());

    }
}

resources:
  member:
    type: gcp:compute:InstanceIAMMember
    properties:
      project: ${default.project}
      zone: ${default.zone}
      instanceName: ${default.name}
      role: roles/compute.osLogin
      member: user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

IAM Conditions restrict when permissions apply. The condition block requires a title for identification, an expression using Common Expression Language (CEL) to define the constraint, and an optional description. The expression “request.time < timestamp("2020-01-01T00:00:00Z")” grants access until midnight on December 31, 2019. After that timestamp, the member loses access automatically without manual revocation.

Beyond these examples

These snippets focus on specific InstanceIAMMember features: single-member role grants and time-based IAM Conditions. They’re intentionally minimal rather than complete access control configurations.

The examples reference pre-existing infrastructure such as Compute Engine instances and GCP project with configured zone. They focus on granting individual permissions rather than managing complete IAM policies.

To keep things focused, common IAM patterns are omitted, including:

Multi-member role grants (InstanceIAMBinding)
Complete policy replacement (InstanceIAMPolicy)
Custom role definitions
Federated identity and workload identity pool configuration

These omissions are intentional: the goal is to illustrate how individual member grants are wired, not provide drop-in access control modules. See the Compute Instance IAM Member resource reference for all available configuration options.

Let's manage GCP Compute Instance IAM Access

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between InstanceIAMPolicy, InstanceIAMBinding, and InstanceIAMMember?

InstanceIAMPolicy is authoritative and replaces the entire IAM policy. InstanceIAMBinding is authoritative for a specific role, preserving other roles. InstanceIAMMember is non-authoritative, adding a single member to a role while preserving other members.

Can I use InstanceIAMPolicy with InstanceIAMBinding or InstanceIAMMember?

No, InstanceIAMPolicy cannot be used with InstanceIAMBinding or InstanceIAMMember because they will conflict over the policy configuration.

Can I use InstanceIAMBinding and InstanceIAMMember together?

Yes, but only if they don’t grant privileges to the same role. Each role must be managed by only one resource type.

Configuration & Identity Formats

What member identity formats are supported?

Supported formats include allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities like principal://iam.googleapis.com/....

How do I specify a custom IAM role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}.

Do I need to specify project and zone for every instance IAM resource?

Not necessarily. If not specified, project and zone will be parsed from the parent resource identifier or taken from the provider configuration.

Advanced Features

Can I use IAM Conditions with instance IAM resources?

Yes, but IAM Conditions have known limitations. Add a condition block with title, description, and expression fields.

What's the format for IAM Condition expressions?

Expressions use CEL (Common Expression Language) syntax, such as request.time < timestamp("2020-01-01T00:00:00Z") for time-based conditions.

Resource Management

What properties are immutable after creation?

All input properties are immutable: instanceName, member, role, zone, project, and condition. Changes require resource replacement.

How do I import an existing instance IAM member?

Use space-delimited identifiers: the instance path, role, and member identity. For example:

pulumi import gcp:compute/instanceIAMMember:InstanceIAMMember editor "projects/{{project}}/zones/{{zone}}/instances/{{instance}} roles/compute.osLogin user:jane@example.com"

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides