The gcp:folder/iAMMember:IAMMember resource, part of the Pulumi GCP provider, grants a single member access to a folder role without affecting other members. This guide focuses on two capabilities: non-authoritative single-member grants and time-based IAM Conditions.
IAMMember is one of four folder IAM resources. It adds one member to a role without replacing existing members, making it safe to use alongside other IAMMember resources. It cannot be used with IAMPolicy, which replaces the entire policy. The examples are intentionally small. Combine them with your own folder hierarchy and member identities.
Grant a single member access to a folder
Most IAM configurations add individual users or service accounts to roles without affecting existing members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const folder = new gcp.folder.IAMMember("folder", {
folder: "folders/1234567",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
folder = gcp.folder.IAMMember("folder",
folder="folders/1234567",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewIAMMember(ctx, "folder", &folder.IAMMemberArgs{
Folder: pulumi.String("folders/1234567"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var folder = new Gcp.Folder.IAMMember("folder", new()
{
Folder = "folders/1234567",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.IAMMember;
import com.pulumi.gcp.folder.IAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var folder = new IAMMember("folder", IAMMemberArgs.builder()
.folder("folders/1234567")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
folder:
type: gcp:folder:IAMMember
properties:
folder: folders/1234567
role: roles/editor
member: user:jane@example.com
The folder property references the folder by ID (format: “folders/{folder_id}”). The role property specifies the predefined or custom role to grant. The member property identifies who receives access, using formats like “user:email@example.com” or “serviceAccount:name@project.iam.gserviceaccount.com”. This resource is non-authoritative: it adds this member without removing others already assigned to the role.
Grant time-limited access with IAM Conditions
Temporary access grants expire automatically without manual cleanup.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const folder = new gcp.folder.IAMMember("folder", {
folder: "folders/1234567",
role: "roles/firebase.admin",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
folder = gcp.folder.IAMMember("folder",
folder="folders/1234567",
role="roles/firebase.admin",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/folder"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := folder.NewIAMMember(ctx, "folder", &folder.IAMMemberArgs{
Folder: pulumi.String("folders/1234567"),
Role: pulumi.String("roles/firebase.admin"),
Member: pulumi.String("user:jane@example.com"),
Condition: &folder.IAMMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var folder = new Gcp.Folder.IAMMember("folder", new()
{
Folder = "folders/1234567",
Role = "roles/firebase.admin",
Member = "user:jane@example.com",
Condition = new Gcp.Folder.Inputs.IAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.folder.IAMMember;
import com.pulumi.gcp.folder.IAMMemberArgs;
import com.pulumi.gcp.folder.inputs.IAMMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var folder = new IAMMember("folder", IAMMemberArgs.builder()
.folder("folders/1234567")
.role("roles/firebase.admin")
.member("user:jane@example.com")
.condition(IAMMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
folder:
type: gcp:folder:IAMMember
properties:
folder: folders/1234567
role: roles/firebase.admin
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition property attaches restrictions to the role binding. The expression uses Common Expression Language (CEL) to define when access is valid. Here, “request.time < timestamp(…)” grants access until midnight on 2019-12-31. The title and description document the condition’s purpose. IAM Conditions cannot be used with Basic Roles like Owner; use predefined or custom roles instead.
Beyond these examples
These snippets focus on specific IAMMember features: single-member role grants and time-based IAM Conditions. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as GCP folders with numeric IDs. They focus on granting access to one member rather than managing complete folder policies.
To keep things focused, common folder IAM patterns are omitted, including:
- Multi-member role grants (IAMBinding)
- Full policy replacement (IAMPolicy)
- Audit logging configuration (IamAuditConfig)
- Service account and group member types
These omissions are intentional: the goal is to illustrate how IAMMember grants are wired, not provide drop-in access control modules. See the Folder IAMMember resource reference for all available configuration options.
Let's manage GCP Folder IAM Members
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
gcp.folder.IAMPolicy is authoritative and replaces the entire IAM policy. gcp.folder.IAMBinding is authoritative for a specific role, replacing all members for that role while preserving other roles. gcp.folder.IAMMember is non-authoritative, adding a single member to a role without affecting other members.gcp.folder.IAMPolicy with gcp.folder.IAMBinding, gcp.folder.IAMMember, or gcp.folder.IamAuditConfig as they will conflict. However, you can use gcp.folder.IAMBinding and gcp.folder.IAMMember together if they don’t grant privileges to the same role.Common Pitfalls & Safety
gcp.folder.IAMPolicy removes access from anyone without parent folder/organization permissions. Avoid using it with your provider folder, import the existing policy before applying changes, and consider using gcp.folder.IAMBinding or gcp.folder.IAMMember for safer incremental changes.folder, member, role, and condition properties cannot be changed after creation. You must recreate the resource to modify any of these values.IAM Conditions & Constraints
condition property with title, description, and expression. For example, set expression to request.time < timestamp("2020-01-01T00:00:00Z") to grant access that expires at midnight on December 31, 2019.Configuration & Identity Formats
user:{emailid} for Google accounts, serviceAccount:{emailid} for service accounts, group:{emailid} for Google groups, and domain:{domain} for all users in a G Suite domain.organizations/{{org_id}}/roles/{{role_id}}. Predefined roles use the standard roles/ prefix.folders/{folder_id}, for example folders/1234567.gcp.folder.IAMBinding and gcp.folder.IAMMember together on the same role causes conflicts. Only use them together if they grant privileges to different roles.