The gcp:gkebackup/backupPlanIamBinding:BackupPlanIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for GKE Backup Plans. It controls which identities (users, service accounts, groups) can access backup resources. This guide focuses on two approaches: authoritative role binding that manages all members for one role, and non-authoritative member addition that adds single identities.
IAM bindings reference existing Backup Plans by project, location, and name. The examples are intentionally small. Combine them with your own Backup Plan resources and organizational identity structure.
Grant a role to multiple members at once
When managing backup access, you often need to grant the same role to multiple users, service accounts, or groups simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.gkebackup.BackupPlanIamBinding("binding", {
project: basic.project,
location: basic.location,
name: basic.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.gkebackup.BackupPlanIamBinding("binding",
project=basic["project"],
location=basic["location"],
name=basic["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkebackup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gkebackup.NewBackupPlanIamBinding(ctx, "binding", &gkebackup.BackupPlanIamBindingArgs{
Project: pulumi.Any(basic.Project),
Location: pulumi.Any(basic.Location),
Name: pulumi.Any(basic.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.GkeBackup.BackupPlanIamBinding("binding", new()
{
Project = basic.Project,
Location = basic.Location,
Name = basic.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gkebackup.BackupPlanIamBinding;
import com.pulumi.gcp.gkebackup.BackupPlanIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new BackupPlanIamBinding("binding", BackupPlanIamBindingArgs.builder()
.project(basic.project())
.location(basic.location())
.name(basic.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:gkebackup:BackupPlanIamBinding
properties:
project: ${basic.project}
location: ${basic.location}
name: ${basic.name}
role: roles/viewer
members:
- user:jane@example.com
BackupPlanIamBinding is authoritative for the specified role. The members array lists all identities that should have this role; any existing members not in this list are removed. The role property accepts predefined roles like “roles/viewer” or custom roles in the format “projects/{project}/roles/{role-name}”. The project, location, and name properties identify which Backup Plan to bind the policy to.
Add a single member to a role incrementally
To grant access to one identity without affecting other members of the same role, use BackupPlanIamMember for non-authoritative updates.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.gkebackup.BackupPlanIamMember("member", {
project: basic.project,
location: basic.location,
name: basic.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.gkebackup.BackupPlanIamMember("member",
project=basic["project"],
location=basic["location"],
name=basic["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkebackup"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gkebackup.NewBackupPlanIamMember(ctx, "member", &gkebackup.BackupPlanIamMemberArgs{
Project: pulumi.Any(basic.Project),
Location: pulumi.Any(basic.Location),
Name: pulumi.Any(basic.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.GkeBackup.BackupPlanIamMember("member", new()
{
Project = basic.Project,
Location = basic.Location,
Name = basic.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gkebackup.BackupPlanIamMember;
import com.pulumi.gcp.gkebackup.BackupPlanIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new BackupPlanIamMember("member", BackupPlanIamMemberArgs.builder()
.project(basic.project())
.location(basic.location())
.name(basic.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:gkebackup:BackupPlanIamMember
properties:
project: ${basic.project}
location: ${basic.location}
name: ${basic.name}
role: roles/viewer
member: user:jane@example.com
BackupPlanIamMember adds a single identity to a role without replacing existing members. The member property (singular) specifies one identity, while the role property defines which permission to grant. This resource preserves other members already assigned to the role, making it safe to use alongside other IAM resources as long as they don’t target the same role-member combination.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as GKE Backup Plans (identified by project, location, and name). They focus on configuring IAM bindings rather than provisioning the backup infrastructure itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (BackupPlanIamPolicy)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how IAM bindings are wired to Backup Plans, not provide drop-in access control modules. See the BackupPlanIamBinding resource reference for all available configuration options.
Let's manage GCP GKE Backup Plan IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
BackupPlanIamPolicy is fully authoritative and replaces the entire IAM policy. BackupPlanIamBinding is authoritative for a specific role, replacing all members for that role while preserving other roles. BackupPlanIamMember is non-authoritative and adds a single member to a role without affecting other members.BackupPlanIamPolicy cannot be used with BackupPlanIamBinding or BackupPlanIamMember because they will conflict over the policy configuration.BackupPlanIamPolicy if you need full control over the entire policy. Use BackupPlanIamBinding to manage all members for specific roles. Use BackupPlanIamMember to add individual members without affecting existing permissions.IAM Configuration
[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.The members property supports multiple formats:
allUsers- Anyone on the internetallAuthenticatedUsers- Anyone with a Google accountuser:{email}- Specific Google account (e.g.,user:alice@gmail.com)serviceAccount:{email}- Service account (e.g.,serviceAccount:my-app@appspot.gserviceaccount.com)group:{email}- Google group (e.g.,group:admins@example.com)domain:{domain}- G Suite domain (e.g.,domain:example.com)projectOwner:projectid,projectEditor:projectid,projectViewer:projectid- Project-level roles- Federated identities using principal identifiers (e.g.,
principal://iam.googleapis.com/...)
role, location, name, and project properties are all immutable and cannot be changed after creation.Import & Advanced
pulumi import gcp:gkebackup/backupPlanIamBinding:BackupPlanIamBinding editor "projects/{{project}}/locations/{{location}}/backupPlans/{{backup_plan}} roles/viewer". For custom roles, use the full name like projects/my-project/roles/my-custom-role.