Configure GCP GKE Backup Restore Plan IAM Bindings

The gcp:gkebackup/restorePlanIamBinding:RestorePlanIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for GKE Backup RestorePlan resources. This guide focuses on two capabilities: granting roles to multiple members and adding individual members non-authoritatively.

IAM bindings reference existing RestorePlan resources and require valid IAM principals. The examples are intentionally small. Combine them with your own RestorePlan resources and identity management.

Grant a role to multiple members

When managing access for operations teams, you often need to grant the same role to several users or service accounts at once.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.gkebackup.RestorePlanIamBinding("binding", {
    project: allNs.project,
    location: allNs.location,
    name: allNs.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.gkebackup.RestorePlanIamBinding("binding",
    project=all_ns["project"],
    location=all_ns["location"],
    name=all_ns["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkebackup"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := gkebackup.NewRestorePlanIamBinding(ctx, "binding", &gkebackup.RestorePlanIamBindingArgs{
			Project:  pulumi.Any(allNs.Project),
			Location: pulumi.Any(allNs.Location),
			Name:     pulumi.Any(allNs.Name),
			Role:     pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.GkeBackup.RestorePlanIamBinding("binding", new()
    {
        Project = allNs.Project,
        Location = allNs.Location,
        Name = allNs.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gkebackup.RestorePlanIamBinding;
import com.pulumi.gcp.gkebackup.RestorePlanIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new RestorePlanIamBinding("binding", RestorePlanIamBindingArgs.builder()
            .project(allNs.project())
            .location(allNs.location())
            .name(allNs.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:gkebackup:RestorePlanIamBinding
    properties:
      project: ${allNs.project}
      location: ${allNs.location}
      name: ${allNs.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The RestorePlanIamBinding resource is authoritative for the specified role: it replaces all members for that role while preserving other roles on the RestorePlan. The members array accepts user accounts, service accounts, groups, and other IAM principal types. The project, location, and name properties identify which RestorePlan to bind the role to.

Add a single member to a role

When onboarding individual users, you can add them to a role without affecting existing members.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.gkebackup.RestorePlanIamMember("member", {
    project: allNs.project,
    location: allNs.location,
    name: allNs.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.gkebackup.RestorePlanIamMember("member",
    project=all_ns["project"],
    location=all_ns["location"],
    name=all_ns["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkebackup"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := gkebackup.NewRestorePlanIamMember(ctx, "member", &gkebackup.RestorePlanIamMemberArgs{
			Project:  pulumi.Any(allNs.Project),
			Location: pulumi.Any(allNs.Location),
			Name:     pulumi.Any(allNs.Name),
			Role:     pulumi.String("roles/viewer"),
			Member:   pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.GkeBackup.RestorePlanIamMember("member", new()
    {
        Project = allNs.Project,
        Location = allNs.Location,
        Name = allNs.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gkebackup.RestorePlanIamMember;
import com.pulumi.gcp.gkebackup.RestorePlanIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new RestorePlanIamMember("member", RestorePlanIamMemberArgs.builder()
            .project(allNs.project())
            .location(allNs.location())
            .name(allNs.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:gkebackup:RestorePlanIamMember
    properties:
      project: ${allNs.project}
      location: ${allNs.location}
      name: ${allNs.name}
      role: roles/viewer
      member: user:jane@example.com

The RestorePlanIamMember resource is non-authoritative: it adds one member to a role without replacing existing members. This approach works well when multiple teams manage access independently. Use RestorePlanIamBinding when you need full control over who has a role; use RestorePlanIamMember when you need to add access without coordinating with other administrators.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative IAM management. They’re intentionally minimal rather than complete access control configurations.

The examples reference pre-existing infrastructure such as GKE Backup RestorePlan resources and IAM principals (users, service accounts, groups). They focus on configuring IAM bindings rather than provisioning the underlying resources.

To keep things focused, common IAM patterns are omitted, including:

  • Conditional IAM bindings (condition property)
  • Full policy replacement (RestorePlanIamPolicy)
  • Custom role definitions
  • Federated identity configuration

These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the RestorePlanIamBinding resource reference for all available configuration options.

Let's configure GCP GKE Backup Restore Plan IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Conflicts & Compatibility
Can I use RestorePlanIamPolicy with RestorePlanIamBinding or RestorePlanIamMember?
No, RestorePlanIamPolicy cannot be used with RestorePlanIamBinding or RestorePlanIamMember as they will conflict over the policy configuration.
Can I use RestorePlanIamBinding and RestorePlanIamMember together?
Yes, but only if they manage different roles. Using both for the same role will cause conflicts.
Resource Selection
Which IAM resource should I use for managing RestorePlan permissions?

Choose based on your needs:

  • RestorePlanIamPolicy: Authoritative control, replaces the entire IAM policy
  • RestorePlanIamBinding: Authoritative for a specific role, manages all members for that role while preserving other roles
  • RestorePlanIamMember: Non-authoritative, adds individual members without affecting existing members or other roles
IAM Configuration
What member identity formats can I use in the members array?

You can use:

  • allUsers or allAuthenticatedUsers for public/authenticated access
  • user:{email}, serviceAccount:{email}, or group:{email} for specific identities
  • domain:{domain} for G Suite domains
  • projectOwner:projectid, projectEditor:projectid, or projectViewer:projectid for project-level roles
  • Federated identities like principal://iam.googleapis.com/locations/global/workforcePools/...
How do I specify a custom IAM role?
Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.
Resource Lifecycle
What properties can't I change after creating a RestorePlanIamBinding?
The location, name, project, role, and condition properties are immutable and require resource replacement if changed.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides