The gcp:endpoints/serviceIamMember:ServiceIamMember resource, part of the Pulumi GCP provider, grants IAM roles to individual members on Cloud Endpoints services without affecting other members of the same role. This guide focuses on three capabilities: single-member grants, multi-member bindings, and full policy replacement.
Three related resources manage Cloud Endpoints IAM: ServiceIamMember (non-authoritative, adds one member), ServiceIamBinding (authoritative for a role, manages all members), and ServiceIamPolicy (authoritative for all roles, replaces entire policy). ServiceIamPolicy cannot be used with the other two, or they will conflict. The examples are intentionally small. Choose the resource that matches your management approach.
Grant a role to a single member
Most IAM configurations add one user or service account to a role, preserving existing assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.endpoints.ServiceIamMember("member", {
serviceName: endpointsService.serviceName,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.endpoints.ServiceIamMember("member",
service_name=endpoints_service["serviceName"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/endpoints"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := endpoints.NewServiceIamMember(ctx, "member", &endpoints.ServiceIamMemberArgs{
ServiceName: pulumi.Any(endpointsService.ServiceName),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Endpoints.ServiceIamMember("member", new()
{
ServiceName = endpointsService.ServiceName,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.endpoints.ServiceIamMember;
import com.pulumi.gcp.endpoints.ServiceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new ServiceIamMember("member", ServiceIamMemberArgs.builder()
.serviceName(endpointsService.serviceName())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:endpoints:ServiceIamMember
properties:
serviceName: ${endpointsService.serviceName}
role: roles/viewer
member: user:jane@example.com
The member property identifies who receives access using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property specifies the permission set to grant. This resource is non-authoritative: it adds the member without removing others already assigned to the role.
Grant a role to multiple members at once
When several users or service accounts need identical permissions, binding them together ensures consistent access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.endpoints.ServiceIamBinding("binding", {
serviceName: endpointsService.serviceName,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.endpoints.ServiceIamBinding("binding",
service_name=endpoints_service["serviceName"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/endpoints"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := endpoints.NewServiceIamBinding(ctx, "binding", &endpoints.ServiceIamBindingArgs{
ServiceName: pulumi.Any(endpointsService.ServiceName),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Endpoints.ServiceIamBinding("binding", new()
{
ServiceName = endpointsService.ServiceName,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.endpoints.ServiceIamBinding;
import com.pulumi.gcp.endpoints.ServiceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new ServiceIamBinding("binding", ServiceIamBindingArgs.builder()
.serviceName(endpointsService.serviceName())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:endpoints:ServiceIamBinding
properties:
serviceName: ${endpointsService.serviceName}
role: roles/viewer
members:
- user:jane@example.com
The members property accepts a list of identifiers, granting the role to all of them in one operation. This resource is authoritative for the specified role: it replaces all members for that role while preserving other roles in the policy. Use this when you want to manage all members of a role together.
Replace the entire IAM policy
Some deployments require complete control over all IAM bindings, replacing any existing policy.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.endpoints.ServiceIamPolicy("policy", {
serviceName: endpointsService.serviceName,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.endpoints.ServiceIamPolicy("policy",
service_name=endpoints_service["serviceName"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/endpoints"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = endpoints.NewServiceIamPolicy(ctx, "policy", &endpoints.ServiceIamPolicyArgs{
ServiceName: pulumi.Any(endpointsService.ServiceName),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Endpoints.ServiceIamPolicy("policy", new()
{
ServiceName = endpointsService.ServiceName,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.endpoints.ServiceIamPolicy;
import com.pulumi.gcp.endpoints.ServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new ServiceIamPolicy("policy", ServiceIamPolicyArgs.builder()
.serviceName(endpointsService.serviceName())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:endpoints:ServiceIamPolicy
properties:
serviceName: ${endpointsService.serviceName}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The policyData property accepts a complete IAM policy document, typically retrieved from getIAMPolicy. This resource is fully authoritative: it replaces the entire IAM policy for the service. You cannot use ServiceIamPolicy alongside ServiceIamBinding or ServiceIamMember, as they will conflict over policy ownership.
Beyond these examples
These snippets focus on specific IAM management approaches: single-member grants, multi-member role bindings, and full policy replacement. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as Cloud Endpoints services (serviceName references). They focus on IAM role assignment rather than service provisioning.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- Federated identity and workload identity pool configuration
- Resource conflict management between Policy, Binding, and Member resources
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Cloud Endpoints ServiceIamMember resource reference for all available configuration options.
Let's manage GCP Endpoints Service IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Compatibility & Conflicts
gcp.endpoints.ServiceIamPolicy cannot be used with gcp.endpoints.ServiceIamBinding or gcp.endpoints.ServiceIamMember as they will conflict over policy management.Resource Selection
ServiceIamPolicy is authoritative and replaces the entire IAM policy. ServiceIamBinding is authoritative for a specific role, managing all members for that role while preserving other roles. ServiceIamMember is non-authoritative, adding a single member to a role without affecting other members.ServiceIamPolicy for complete policy control, ServiceIamBinding to manage all members for a specific role, or ServiceIamMember to add individual members without affecting existing grants.Configuration & Identity Types
The member field supports multiple formats:
allUsersorallAuthenticatedUsersfor public/authenticated accessuser:{email},serviceAccount:{email},group:{email}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner:{projectid},projectEditor:{projectid},projectViewer:{projectid}for project roles- Federated identities using
principal://format
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role.Immutability & Limitations
member, role, serviceName, and condition fields are all immutable and require resource replacement if changed.