The gcp:compute/snapshotIamMember:SnapshotIamMember resource, part of the Pulumi GCP provider, manages IAM permissions for Compute Engine snapshots by adding individual members to roles without affecting other members or roles. This guide focuses on three capabilities: adding single members, binding multiple members to roles, and replacing entire policies.
GCP provides three related resources for snapshot IAM management. SnapshotIamMember adds members non-authoritatively (preserving other members), SnapshotIamBinding manages all members for a specific role authoritatively, and SnapshotIamPolicy replaces the entire policy. SnapshotIamPolicy cannot be used with the other two resources, as they will conflict over policy state. The examples are intentionally small. Combine them with your own snapshot resources and identity management.
Grant a single user access to a snapshot
Most snapshot sharing begins by granting a specific user or service account viewer access without modifying the entire IAM policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.SnapshotIamMember("member", {
project: snapshot.project,
name: snapshot.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.SnapshotIamMember("member",
project=snapshot["project"],
name=snapshot["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewSnapshotIamMember(ctx, "member", &compute.SnapshotIamMemberArgs{
Project: pulumi.Any(snapshot.Project),
Name: pulumi.Any(snapshot.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.SnapshotIamMember("member", new()
{
Project = snapshot.Project,
Name = snapshot.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SnapshotIamMember;
import com.pulumi.gcp.compute.SnapshotIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new SnapshotIamMember("member", SnapshotIamMemberArgs.builder()
.project(snapshot.project())
.name(snapshot.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:SnapshotIamMember
properties:
project: ${snapshot.project}
name: ${snapshot.name}
role: roles/viewer
member: user:jane@example.com
The member property specifies the identity receiving access, using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property defines the permission level. This resource is non-authoritative, meaning it adds the member without removing other members who already have access to the snapshot.
Grant a role to multiple members at once
When multiple users or service accounts need the same level of access, SnapshotIamBinding assigns them together.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.compute.SnapshotIamBinding("binding", {
project: snapshot.project,
name: snapshot.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.compute.SnapshotIamBinding("binding",
project=snapshot["project"],
name=snapshot["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewSnapshotIamBinding(ctx, "binding", &compute.SnapshotIamBindingArgs{
Project: pulumi.Any(snapshot.Project),
Name: pulumi.Any(snapshot.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Compute.SnapshotIamBinding("binding", new()
{
Project = snapshot.Project,
Name = snapshot.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.SnapshotIamBinding;
import com.pulumi.gcp.compute.SnapshotIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new SnapshotIamBinding("binding", SnapshotIamBindingArgs.builder()
.project(snapshot.project())
.name(snapshot.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:compute:SnapshotIamBinding
properties:
project: ${snapshot.project}
name: ${snapshot.name}
role: roles/viewer
members:
- user:jane@example.com
The members property accepts a list of identities, all receiving the specified role. SnapshotIamBinding is authoritative for its role, meaning it replaces any existing members for that role while preserving other roles in the policy. You can use SnapshotIamBinding alongside SnapshotIamMember only if they manage different roles.
Replace the entire IAM policy for a snapshot
Organizations with strict access control sometimes need to define the complete IAM policy from scratch.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.compute.SnapshotIamPolicy("policy", {
project: snapshot.project,
name: snapshot.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.compute.SnapshotIamPolicy("policy",
project=snapshot["project"],
name=snapshot["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = compute.NewSnapshotIamPolicy(ctx, "policy", &compute.SnapshotIamPolicyArgs{
Project: pulumi.Any(snapshot.Project),
Name: pulumi.Any(snapshot.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Compute.SnapshotIamPolicy("policy", new()
{
Project = snapshot.Project,
Name = snapshot.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.compute.SnapshotIamPolicy;
import com.pulumi.gcp.compute.SnapshotIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new SnapshotIamPolicy("policy", SnapshotIamPolicyArgs.builder()
.project(snapshot.project())
.name(snapshot.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:compute:SnapshotIamPolicy
properties:
project: ${snapshot.project}
name: ${snapshot.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property comes from the getIAMPolicy data source, which constructs a complete policy document from bindings. SnapshotIamPolicy replaces the entire IAM policy, removing any permissions not explicitly listed. This resource cannot coexist with SnapshotIamBinding or SnapshotIamMember in the same stack, as they will conflict over policy state.
Beyond these examples
These snippets focus on specific IAM management approaches: incremental member addition, role-based binding, and full policy replacement. They’re intentionally minimal rather than complete access control solutions.
The examples reference pre-existing infrastructure such as Compute Engine snapshots and a GCP project with appropriate IAM permissions. They focus on configuring IAM bindings rather than creating the snapshots themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Combining Policy, Binding, and Member resources safely
- Federated identity and workload identity pool configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Snapshot IAM Member resource reference for all available configuration options.
Let's manage GCP Compute Snapshot IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.compute.SnapshotIamPolicy is authoritative and replaces the entire IAM policy. gcp.compute.SnapshotIamBinding is authoritative for a specific role, updating all members for that role while preserving other roles. gcp.compute.SnapshotIamMember is non-authoritative, adding a single member to a role while preserving other members and roles.gcp.compute.SnapshotIamPolicy cannot be used with gcp.compute.SnapshotIamBinding or gcp.compute.SnapshotIamMember because they will conflict over policy management.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, or federated identities like principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com.[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.Resource Properties
member, role, name, project) are immutable and require resource replacement if changed.