The gcp:gemini/repositoryGroupIamBinding:RepositoryGroupIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Gemini repository groups, controlling which users and service accounts can access repository collections. This guide focuses on two capabilities: authoritative role binding to multiple members and non-authoritative individual member grants.
IAM bindings reference existing repository groups and code repository indexes within a GCP project and location. The examples are intentionally small. Combine them with your own repository infrastructure and identity management.
Grant a role to multiple members at once
Teams managing repository group access often need to grant the same role to multiple users or service accounts simultaneously, ensuring consistent permissions across a team.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.gemini.RepositoryGroupIamBinding("binding", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
role: "roles/cloudaicompanion.repositoryGroupsUser",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.gemini.RepositoryGroupIamBinding("binding",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
role="roles/cloudaicompanion.repositoryGroupsUser",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gemini.NewRepositoryGroupIamBinding(ctx, "binding", &gemini.RepositoryGroupIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
Role: pulumi.String("roles/cloudaicompanion.repositoryGroupsUser"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Gemini.RepositoryGroupIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gemini.RepositoryGroupIamBinding;
import com.pulumi.gcp.gemini.RepositoryGroupIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RepositoryGroupIamBinding("binding", RepositoryGroupIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.role("roles/cloudaicompanion.repositoryGroupsUser")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:gemini:RepositoryGroupIamBinding
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
role: roles/cloudaicompanion.repositoryGroupsUser
members:
- user:jane@example.com
The RepositoryGroupIamBinding resource is authoritative for the specified role. The members array lists all identities that receive the role; any members not in this list lose access. The repositoryGroupId and codeRepositoryIndex properties identify which repository group receives the binding. This approach works well when you manage all members for a role together.
Add individual members without affecting existing bindings
When you need to grant access to one person without modifying other members’ permissions, non-authoritative member resources let you add individuals incrementally.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.gemini.RepositoryGroupIamMember("member", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
role: "roles/cloudaicompanion.repositoryGroupsUser",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.gemini.RepositoryGroupIamMember("member",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
role="roles/cloudaicompanion.repositoryGroupsUser",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gemini.NewRepositoryGroupIamMember(ctx, "member", &gemini.RepositoryGroupIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
Role: pulumi.String("roles/cloudaicompanion.repositoryGroupsUser"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Gemini.RepositoryGroupIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gemini.RepositoryGroupIamMember;
import com.pulumi.gcp.gemini.RepositoryGroupIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RepositoryGroupIamMember("member", RepositoryGroupIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.role("roles/cloudaicompanion.repositoryGroupsUser")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:gemini:RepositoryGroupIamMember
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
role: roles/cloudaicompanion.repositoryGroupsUser
member: user:jane@example.com
The RepositoryGroupIamMember resource is non-authoritative: it adds one member to a role without affecting other members. The member property specifies a single identity using the same format as the members array in bindings. This approach lets multiple team members or automation systems grant access independently without coordination.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Gemini repository groups and code repository indexes, and GCP projects with configured locations. They focus on configuring IAM bindings rather than provisioning the underlying repository infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (RepositoryGroupIamPolicy)
- Custom role definitions
- Service account creation and management
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the RepositoryGroupIamBinding resource reference for all available configuration options.
Let's manage GCP Gemini Repository Group IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
RepositoryGroupIamPolicy is fully authoritative and replaces the entire IAM policy. RepositoryGroupIamBinding is authoritative for a specific role, managing all members for that role while preserving other roles. RepositoryGroupIamMember is non-authoritative, adding individual members without affecting existing members for the role.RepositoryGroupIamPolicy cannot be used with RepositoryGroupIamBinding or RepositoryGroupIamMember because they will conflict over policy state. Use IamPolicy alone for full control, or use IamBinding/IamMember together for granular management.RepositoryGroupIamBinding and RepositoryGroupIamMember for the same role causes conflicts.[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/customRole.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, or federated identities like principal://iam.googleapis.com/....RepositoryGroupIamMember to add a single user without affecting others (e.g., member: "user:jane@example.com"). Use RepositoryGroupIamBinding to manage all members for a role at once (e.g., members: ["user:jane@example.com", "user:john@example.com"]).