The gcp:gemini/repositoryGroupIamPolicy:RepositoryGroupIamPolicy resource, part of the Pulumi GCP provider, manages IAM access control for Gemini repository groups. This guide focuses on three approaches: authoritative policy replacement, role-level member binding, and incremental member addition.
These resources manage access to repository groups that have already been created and indexed. The examples are intentionally small. Combine them with your own repository group infrastructure and member identities.
Replace the entire IAM policy for a repository group
When you need complete control over permissions, you can set the entire IAM policy at once, replacing any existing access rules.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/cloudaicompanion.repositoryGroupsUser",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.gemini.RepositoryGroupIamPolicy("policy", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/cloudaicompanion.repositoryGroupsUser",
"members": ["user:jane@example.com"],
}])
policy = gcp.gemini.RepositoryGroupIamPolicy("policy",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/cloudaicompanion.repositoryGroupsUser",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = gemini.NewRepositoryGroupIamPolicy(ctx, "policy", &gemini.RepositoryGroupIamPolicyArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Gemini.RepositoryGroupIamPolicy("policy", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.gemini.RepositoryGroupIamPolicy;
import com.pulumi.gcp.gemini.RepositoryGroupIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/cloudaicompanion.repositoryGroupsUser")
.members("user:jane@example.com")
.build())
.build());
var policy = new RepositoryGroupIamPolicy("policy", RepositoryGroupIamPolicyArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:gemini:RepositoryGroupIamPolicy
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/cloudaicompanion.repositoryGroupsUser
members:
- user:jane@example.com
The RepositoryGroupIamPolicy resource is authoritative: it replaces the entire policy. The getIAMPolicy data source constructs the policy document with bindings that map roles to members. The policyData property receives the serialized policy. This approach gives you full control but conflicts with RepositoryGroupIamBinding and RepositoryGroupIamMember resources on the same repository group.
Grant a role to multiple members at once
When multiple users need the same access level, you can bind them all to a single role without affecting other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.gemini.RepositoryGroupIamBinding("binding", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
role: "roles/cloudaicompanion.repositoryGroupsUser",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.gemini.RepositoryGroupIamBinding("binding",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
role="roles/cloudaicompanion.repositoryGroupsUser",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gemini.NewRepositoryGroupIamBinding(ctx, "binding", &gemini.RepositoryGroupIamBindingArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
Role: pulumi.String("roles/cloudaicompanion.repositoryGroupsUser"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Gemini.RepositoryGroupIamBinding("binding", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gemini.RepositoryGroupIamBinding;
import com.pulumi.gcp.gemini.RepositoryGroupIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new RepositoryGroupIamBinding("binding", RepositoryGroupIamBindingArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.role("roles/cloudaicompanion.repositoryGroupsUser")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:gemini:RepositoryGroupIamBinding
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
role: roles/cloudaicompanion.repositoryGroupsUser
members:
- user:jane@example.com
The RepositoryGroupIamBinding resource is authoritative for one role: it sets the complete member list for that role but preserves other roles in the policy. The members property accepts a list of identities in the format “user:email”, “serviceAccount:email”, or “group:email”. You can use multiple RepositoryGroupIamBinding resources for different roles on the same repository group.
Add a single member to a role incrementally
When you need to grant access to one additional user, you can add individual members without modifying existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.gemini.RepositoryGroupIamMember("member", {
project: example.project,
location: example.location,
codeRepositoryIndex: example.codeRepositoryIndex,
repositoryGroupId: example.repositoryGroupId,
role: "roles/cloudaicompanion.repositoryGroupsUser",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.gemini.RepositoryGroupIamMember("member",
project=example["project"],
location=example["location"],
code_repository_index=example["codeRepositoryIndex"],
repository_group_id=example["repositoryGroupId"],
role="roles/cloudaicompanion.repositoryGroupsUser",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gemini"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gemini.NewRepositoryGroupIamMember(ctx, "member", &gemini.RepositoryGroupIamMemberArgs{
Project: pulumi.Any(example.Project),
Location: pulumi.Any(example.Location),
CodeRepositoryIndex: pulumi.Any(example.CodeRepositoryIndex),
RepositoryGroupId: pulumi.Any(example.RepositoryGroupId),
Role: pulumi.String("roles/cloudaicompanion.repositoryGroupsUser"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Gemini.RepositoryGroupIamMember("member", new()
{
Project = example.Project,
Location = example.Location,
CodeRepositoryIndex = example.CodeRepositoryIndex,
RepositoryGroupId = example.RepositoryGroupId,
Role = "roles/cloudaicompanion.repositoryGroupsUser",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gemini.RepositoryGroupIamMember;
import com.pulumi.gcp.gemini.RepositoryGroupIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new RepositoryGroupIamMember("member", RepositoryGroupIamMemberArgs.builder()
.project(example.project())
.location(example.location())
.codeRepositoryIndex(example.codeRepositoryIndex())
.repositoryGroupId(example.repositoryGroupId())
.role("roles/cloudaicompanion.repositoryGroupsUser")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:gemini:RepositoryGroupIamMember
properties:
project: ${example.project}
location: ${example.location}
codeRepositoryIndex: ${example.codeRepositoryIndex}
repositoryGroupId: ${example.repositoryGroupId}
role: roles/cloudaicompanion.repositoryGroupsUser
member: user:jane@example.com
The RepositoryGroupIamMember resource is non-authoritative: it adds one member to a role without affecting other members. The member property takes a single identity string. This resource is safe to use alongside RepositoryGroupIamBinding resources as long as they don’t grant the same role.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative access control, and policy-level, role-level, and member-level configuration. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Gemini repository groups, code repository indexes, and GCP projects and locations. They focus on configuring IAM permissions rather than provisioning the repository infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (conditions)
- Custom roles beyond cloudaicompanion.repositoryGroupsUser
- Service account and group member types
- Multiple role assignments in single resources
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the Gemini RepositoryGroupIamPolicy resource reference for all available configuration options.
Let's manage GCP Gemini Repository Group IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Can I use IamPolicy with IamBinding or IamMember?
No,
RepositoryGroupIamPolicy cannot be used with RepositoryGroupIamBinding or RepositoryGroupIamMember because they will conflict over the policy state.Can I use IamBinding and IamMember together?
Yes, but only if they don’t grant the same role. Each role must be managed by either
IamBinding or IamMember, not both.What's the difference between IamPolicy, IamBinding, and IamMember?
IamPolicy is authoritative and replaces the entire policy. IamBinding is authoritative for a specific role, managing all members for that role while preserving other roles. IamMember is non-authoritative, adding individual members without affecting other members or roles.Configuration & Setup
How do I configure IAM policy for a repository group?
Use
gcp.organizations.getIAMPolicy to generate policy data with your desired bindings, then pass the result to the policyData property of RepositoryGroupIamPolicy.What properties can't I change after creating the resource?
All identifier properties are immutable:
codeRepositoryIndex, location, project, and repositoryGroupId. To change these, you must recreate the resource.