The gcp:containeranalysis/noteIamBinding:NoteIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Container Analysis notes. This guide focuses on two capabilities: authoritative role assignment to multiple members and non-authoritative single-member additions.
This resource controls access to existing Container Analysis notes rather than creating them. The examples are intentionally small. Combine them with your own note resources and identity management.
Grant a role to multiple members at once
When onboarding teams or configuring cross-project access, you often need to assign the same role to multiple users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.containeranalysis.NoteIamBinding("binding", {
project: note.project,
note: note.name,
role: "roles/containeranalysis.notes.occurrences.viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.containeranalysis.NoteIamBinding("binding",
project=note["project"],
note=note["name"],
role="roles/containeranalysis.notes.occurrences.viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containeranalysis.NewNoteIamBinding(ctx, "binding", &containeranalysis.NoteIamBindingArgs{
Project: pulumi.Any(note.Project),
Note: pulumi.Any(note.Name),
Role: pulumi.String("roles/containeranalysis.notes.occurrences.viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.ContainerAnalysis.NoteIamBinding("binding", new()
{
Project = note.Project,
Note = note.Name,
Role = "roles/containeranalysis.notes.occurrences.viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.NoteIamBinding;
import com.pulumi.gcp.containeranalysis.NoteIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new NoteIamBinding("binding", NoteIamBindingArgs.builder()
.project(note.project())
.note(note.name())
.role("roles/containeranalysis.notes.occurrences.viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:containeranalysis:NoteIamBinding
properties:
project: ${note.project}
note: ${note.name}
role: roles/containeranalysis.notes.occurrences.viewer
members:
- user:jane@example.com
The NoteIamBinding resource is authoritative for the specified role: it replaces all members for that role with the list you provide. The members array accepts user accounts, service accounts, groups, and other identity formats. The role property specifies which Container Analysis permission to grant, such as roles/containeranalysis.notes.occurrences.viewer for read access to vulnerability occurrences.
Add a single member to a role incrementally
To grant access to one additional user without affecting existing members, use the non-authoritative NoteIamMember resource.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.containeranalysis.NoteIamMember("member", {
project: note.project,
note: note.name,
role: "roles/containeranalysis.notes.occurrences.viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.containeranalysis.NoteIamMember("member",
project=note["project"],
note=note["name"],
role="roles/containeranalysis.notes.occurrences.viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/containeranalysis"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := containeranalysis.NewNoteIamMember(ctx, "member", &containeranalysis.NoteIamMemberArgs{
Project: pulumi.Any(note.Project),
Note: pulumi.Any(note.Name),
Role: pulumi.String("roles/containeranalysis.notes.occurrences.viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.ContainerAnalysis.NoteIamMember("member", new()
{
Project = note.Project,
Note = note.Name,
Role = "roles/containeranalysis.notes.occurrences.viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.containeranalysis.NoteIamMember;
import com.pulumi.gcp.containeranalysis.NoteIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new NoteIamMember("member", NoteIamMemberArgs.builder()
.project(note.project())
.note(note.name())
.role("roles/containeranalysis.notes.occurrences.viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:containeranalysis:NoteIamMember
properties:
project: ${note.project}
note: ${note.name}
role: roles/containeranalysis.notes.occurrences.viewer
member: user:jane@example.com
Unlike NoteIamBinding, NoteIamMember preserves other members already assigned to the role. This approach works well when multiple teams manage access independently or when you need to add members incrementally. The member property (singular) accepts a single identity in the same formats as the members array.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Container Analysis notes and a GCP project with the Container Analysis API enabled. They focus on configuring IAM bindings rather than provisioning the underlying notes.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (NoteIamPolicy resource)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the NoteIamBinding resource reference for all available configuration options.
Let's manage GCP Container Analysis Note IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.containeranalysis.NoteIamPolicy cannot be used with gcp.containeranalysis.NoteIamBinding or gcp.containeranalysis.NoteIamMember because they will conflict over the policy. However, gcp.containeranalysis.NoteIamBinding and gcp.containeranalysis.NoteIamMember can be used together only if they don’t grant the same role.gcp.containeranalysis.NoteIamPolicy is authoritative and replaces the entire IAM policy. gcp.containeranalysis.NoteIamBinding is authoritative for a specific role but preserves other roles in the policy. gcp.containeranalysis.NoteIamMember is non-authoritative and adds a single member to a role while preserving existing members.gcp.containeranalysis.NoteIamPolicy when you need complete control over the entire policy. Use gcp.containeranalysis.NoteIamBinding to manage all members for a specific role. Use gcp.containeranalysis.NoteIamMember to add individual members without affecting others.Configuration & Formats
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, allUsers, allAuthenticatedUsers, projectOwner:projectid, projectEditor:projectid, projectViewer:projectid, and federated identities using the principal:// format.roles/containeranalysis.notes.occurrences.viewer as shown in the examples.Immutability & Limitations
note, project, role, and condition properties are immutable and cannot be changed after creation.gcp.containeranalysis.NoteIamBinding can be used per role, as stated in the role property description.