The gcp:compute/regionDiskIamPolicy:RegionDiskIamPolicy resource, part of the Pulumi GCP provider, manages IAM access control for Compute Engine regional disks at three levels: complete policy replacement, role-level binding, or individual member grants. This guide focuses on three capabilities: complete policy replacement (RegionDiskIamPolicy), role-level member binding (RegionDiskIamBinding), and individual member grants (RegionDiskIamMember).
These resources reference existing regional disks by project, region, and name. RegionDiskIamPolicy replaces the entire policy (authoritative), RegionDiskIamBinding manages all members for a specific role (authoritative for that role), and RegionDiskIamMember adds individual members (non-authoritative). RegionDiskIamPolicy cannot be used with the other two resources, as they will conflict over policy state. The examples are intentionally small. Combine them with your own disk infrastructure and identity management.
Replace the entire IAM policy for a regional disk
When you need complete control over who can access a regional disk, set the entire IAM policy at once.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.compute.RegionDiskIamPolicy("policy", {
project: regiondisk.project,
region: regiondisk.region,
name: regiondisk.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.compute.RegionDiskIamPolicy("policy",
project=regiondisk["project"],
region=regiondisk["region"],
name=regiondisk["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewRegionDiskIamPolicy(ctx, "policy", &compute.RegionDiskIamPolicyArgs{
Project: pulumi.Any(regiondisk.Project),
Region: pulumi.Any(regiondisk.Region),
Name: pulumi.Any(regiondisk.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Compute.RegionDiskIamPolicy("policy", new()
{
Project = regiondisk.Project,
Region = regiondisk.Region,
Name = regiondisk.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.RegionDiskIamPolicy;
import com.pulumi.gcp.compute.RegionDiskIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new RegionDiskIamPolicy("policy", RegionDiskIamPolicyArgs.builder()
.project(regiondisk.project())
.region(regiondisk.region())
.name(regiondisk.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:RegionDiskIamPolicy
properties:
project: ${regiondisk.project}
region: ${regiondisk.region}
name: ${regiondisk.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The RegionDiskIamPolicy resource replaces all existing IAM bindings on the disk. The policyData property comes from the getIAMPolicy data source, which defines bindings (role and members pairs). The project, region, and name properties identify the target disk. This approach is authoritative: any permissions not in the policy are removed.
Grant a role to multiple members at once
When multiple users or service accounts need the same access level, bind them all to a single role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.RegionDiskIamBinding("binding", {
project: regiondisk.project,
region: regiondisk.region,
name: regiondisk.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.RegionDiskIamBinding("binding",
project=regiondisk["project"],
region=regiondisk["region"],
name=regiondisk["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewRegionDiskIamBinding(ctx, "binding", &compute.RegionDiskIamBindingArgs{
Project: pulumi.Any(regiondisk.Project),
Region: pulumi.Any(regiondisk.Region),
Name: pulumi.Any(regiondisk.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.RegionDiskIamBinding("binding", new()
{
Project = regiondisk.Project,
Region = regiondisk.Region,
Name = regiondisk.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionDiskIamBinding;
import com.pulumi.gcp.compute.RegionDiskIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RegionDiskIamBinding("binding", RegionDiskIamBindingArgs.builder()
.project(regiondisk.project())
.region(regiondisk.region())
.name(regiondisk.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:RegionDiskIamBinding
properties:
project: ${regiondisk.project}
region: ${regiondisk.region}
name: ${regiondisk.name}
role: roles/viewer
members:
- user:jane@example.com
The RegionDiskIamBinding resource manages all members for a specific role. The members property lists identities (users, service accounts, groups) that receive the role. Other roles on the disk remain unchanged, making this less disruptive than RegionDiskIamPolicy. However, it’s still authoritative for the specified role: any members not in the list are removed from that role.
Add a single member to a role incrementally
To grant access to one additional user without affecting existing permissions, add a single member.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.RegionDiskIamMember("member", {
project: regiondisk.project,
region: regiondisk.region,
name: regiondisk.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.RegionDiskIamMember("member",
project=regiondisk["project"],
region=regiondisk["region"],
name=regiondisk["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewRegionDiskIamMember(ctx, "member", &compute.RegionDiskIamMemberArgs{
Project: pulumi.Any(regiondisk.Project),
Region: pulumi.Any(regiondisk.Region),
Name: pulumi.Any(regiondisk.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.RegionDiskIamMember("member", new()
{
Project = regiondisk.Project,
Region = regiondisk.Region,
Name = regiondisk.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.RegionDiskIamMember;
import com.pulumi.gcp.compute.RegionDiskIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RegionDiskIamMember("member", RegionDiskIamMemberArgs.builder()
.project(regiondisk.project())
.region(regiondisk.region())
.name(regiondisk.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:RegionDiskIamMember
properties:
project: ${regiondisk.project}
region: ${regiondisk.region}
name: ${regiondisk.name}
role: roles/viewer
member: user:jane@example.com
The RegionDiskIamMember resource adds one member to a role without removing others. The member property specifies a single identity. This is the least disruptive approach: it’s non-authoritative, so existing members for the role are preserved. You can safely use RegionDiskIamMember alongside RegionDiskIamBinding as long as they manage different roles.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, and policy-level, role-level, and member-level access control. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as regional disks (identified by project, region, and name). They focus on configuring IAM bindings rather than provisioning the disks themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (conditions property)
- Audit logging configuration (auditConfigs)
- Service account impersonation
- Custom role definitions
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the RegionDiskIamPolicy resource reference for all available configuration options.
Let's manage GCP Compute Region Disk IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
RegionDiskIamPolicy cannot be used with RegionDiskIamBinding or RegionDiskIamMember as they will conflict over policy control. Use RegionDiskIamPolicy alone, or use RegionDiskIamBinding/RegionDiskIamMember without RegionDiskIamPolicy.RegionDiskIamPolicy is authoritative and replaces the entire IAM policy. RegionDiskIamBinding is authoritative for a specific role but preserves other roles. RegionDiskIamMember is non-authoritative and preserves other members for the role.Configuration & Usage
gcp.organizations.getIAMPolicy to generate policy data, then pass it to the policyData property of RegionDiskIamPolicy.name, project, and region properties are immutable and cannot be changed after the resource is created.Import & Migration
[projects/my-project|organizations/my-org]/roles/my-custom-role.