The gcp:gemini/repositoryGroupIamPolicy:RepositoryGroupIamPolicy resource, part of the Pulumi GCP provider, controls IAM permissions for Gemini repository groups. This guide focuses on three approaches: authoritative policy replacement, role-level binding, and individual member assignment.
These resources belong to the Gemini for Google Cloud service and reference existing repository groups within code repository indexes. The examples are intentionally small. Combine them with your own repository group infrastructure and organizational IAM policies.
Replace the entire IAM policy for a repository group
When you need complete control over permissions, you can set the entire IAM policy at once, replacing any existing access rules.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/cloudaicompanion.repositoryGroupsUser",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.gemini.RepositoryGroupIamPolicy("policy", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/cloudaicompanion.repositoryGroupsUser",
"members": ["user:jane@example.com"],
}])
policy = gcp.gemini.RepositoryGroupIamPolicy("policy",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/cloudaicompanion.repositoryGroupsUser",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = gemini.NewRepositoryGroupIamPolicy(ctx, "policy", &gemini.RepositoryGroupIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Gemini.RepositoryGroupIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.gemini.RepositoryGroupIamPolicy;
import com.pulumi.gcp.gemini.RepositoryGroupIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/cloudaicompanion.repositoryGroupsUser")
.members("user:jane@example.com")
.build())
.build());
var policy = new RepositoryGroupIamPolicy("policy", RepositoryGroupIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:gemini:RepositoryGroupIamPolicy
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/cloudaicompanion.repositoryGroupsUser
members:
- user:jane@example.com
The RepositoryGroupIamPolicy resource is authoritative: it replaces the entire IAM policy with the policyData you provide. The getIAMPolicy data source constructs the policy document with bindings that map roles to members. This approach gives you complete control but cannot coexist with RepositoryGroupIamBinding or RepositoryGroupIamMember resources on the same repository group, as they would conflict over policy ownership.
Grant a role to multiple members at once
When multiple users need the same access level, you can bind them all to a single role without affecting other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.gemini.RepositoryGroupIamBinding("binding", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
role: "roles/cloudaicompanion.repositoryGroupsUser",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.gemini.RepositoryGroupIamBinding("binding",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
role="roles/cloudaicompanion.repositoryGroupsUser",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gemini.NewRepositoryGroupIamBinding(ctx, "binding", &gemini.RepositoryGroupIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
Role: pulumi.String("roles/cloudaicompanion.repositoryGroupsUser"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Gemini.RepositoryGroupIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gemini.RepositoryGroupIamBinding;
import com.pulumi.gcp.gemini.RepositoryGroupIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RepositoryGroupIamBinding("binding", RepositoryGroupIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.role("roles/cloudaicompanion.repositoryGroupsUser")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:gemini:RepositoryGroupIamBinding
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
role: roles/cloudaicompanion.repositoryGroupsUser
members:
- user:jane@example.com
The RepositoryGroupIamBinding resource is authoritative for a specific role: it sets the complete member list for that role while preserving other roles in the policy. The members property accepts a list of identities (users, service accounts, groups). You can use multiple RepositoryGroupIamBinding resources on the same repository group as long as they manage different roles.
Add a single member to a role incrementally
When you need to grant access to one user without disturbing existing permissions, you can add members individually.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.gemini.RepositoryGroupIamMember("member", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
role: "roles/cloudaicompanion.repositoryGroupsUser",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.gemini.RepositoryGroupIamMember("member",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
role="roles/cloudaicompanion.repositoryGroupsUser",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gemini.NewRepositoryGroupIamMember(ctx, "member", &gemini.RepositoryGroupIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
Role: pulumi.String("roles/cloudaicompanion.repositoryGroupsUser"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Gemini.RepositoryGroupIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gemini.RepositoryGroupIamMember;
import com.pulumi.gcp.gemini.RepositoryGroupIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RepositoryGroupIamMember("member", RepositoryGroupIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.role("roles/cloudaicompanion.repositoryGroupsUser")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:gemini:RepositoryGroupIamMember
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
role: roles/cloudaicompanion.repositoryGroupsUser
member: user:jane@example.com
The RepositoryGroupIamMember resource is non-authoritative: it adds a single member to a role without affecting other members of that role or other roles in the policy. The member property specifies one identity. This is the safest option when multiple teams manage access independently, as it minimizes the risk of accidentally removing someone else’s permissions.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative updates and role binding vs member assignment. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as Gemini repository groups and code repository indexes, and a GCP project with location configuration. They focus on IAM policy configuration rather than provisioning the underlying repository infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Service account impersonation
- Custom role definitions
- IAM policy retrieval (data source usage)
These omissions are intentional: the goal is to illustrate how each IAM resource type modifies permissions, not provide drop-in access control modules. See the Gemini RepositoryGroupIamPolicy resource reference for all available configuration options.
Let's manage GCP Gemini Repository Group IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
What's the difference between the three IAM resources for RepositoryGroup?
RepositoryGroupIamPolicy is authoritative and replaces the entire policy. RepositoryGroupIamBinding is authoritative for a specific role, preserving other roles. RepositoryGroupIamMember is non-authoritative, adding individual members without affecting other members for the same role.Can I use these IAM resources together?
RepositoryGroupIamPolicy cannot be used with RepositoryGroupIamBinding or RepositoryGroupIamMember as they will conflict. However, RepositoryGroupIamBinding and RepositoryGroupIamMember can be used together only if they manage different roles.Which IAM resource should I use?
Use
RepositoryGroupIamPolicy for complete policy control. Use RepositoryGroupIamBinding to manage all members for a specific role. Use RepositoryGroupIamMember to add individual members without affecting existing ones.Configuration & Setup
What properties are required to configure RepositoryGroupIamPolicy?
All of these are required and immutable:
codeRepositoryIndex, location, project, repositoryGroupId, and policyData.How do I generate the policyData for IamPolicy?
Use the
gcp.organizations.getIAMPolicy data source with your desired bindings, then reference its policyData output in your RepositoryGroupIamPolicy resource.Import & Migration
What import formats are supported?
Four formats are supported, from most to least detailed: full path (
projects/{{project}}/locations/{{location}}/...), project-scoped ({{project}}/{{location}}/...), location-scoped ({{location}}/...), or just {{repository_group_id}}. Missing variables are taken from the provider configuration.How do I import a resource with a custom IAM role?
Use the full custom role name in the format
projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.