The gcp:gkehub/featureIamPolicy:FeatureIamPolicy resource, part of the Pulumi GCP provider, manages IAM policies for GKE Hub features. This guide focuses on three approaches: authoritative policy replacement, role-based member assignment, and incremental member addition.
GKE Hub features exist independently; these IAM resources control access to them. The FeatureIamPolicy resource replaces the entire policy, FeatureIamBinding manages all members for a specific role, and FeatureIamMember adds individual members. These resources cannot be mixed arbitrarily: FeatureIamPolicy conflicts with both FeatureIamBinding and FeatureIamMember, while FeatureIamBinding and FeatureIamMember can coexist only if they manage different roles. The examples are intentionally small. Combine them with your own GKE Hub features and organizational access patterns.
Replace the entire IAM policy for a feature
When you need complete control over feature access, you can set the entire IAM policy at once.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.gkehub.FeatureIamPolicy("policy", {
project: feature.project,
location: feature.location,
name: feature.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.gkehub.FeatureIamPolicy("policy",
project=feature["project"],
location=feature["location"],
name=feature["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkehub"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = gkehub.NewFeatureIamPolicy(ctx, "policy", &gkehub.FeatureIamPolicyArgs{
Project: pulumi.Any(feature.Project),
Location: pulumi.Any(feature.Location),
Name: pulumi.Any(feature.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.GkeHub.FeatureIamPolicy("policy", new()
{
Project = feature.Project,
Location = feature.Location,
Name = feature.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.gkehub.FeatureIamPolicy;
import com.pulumi.gcp.gkehub.FeatureIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new FeatureIamPolicy("policy", FeatureIamPolicyArgs.builder()
.project(feature.project())
.location(feature.location())
.name(feature.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:gkehub:FeatureIamPolicy
properties:
project: ${feature.project}
location: ${feature.location}
name: ${feature.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The FeatureIamPolicy resource takes a policyData property generated by the getIAMPolicy data source. This approach is authoritative: it replaces all existing IAM bindings on the feature. The project, location, and name properties identify which feature to manage.
Grant a role to multiple members at once
Teams often assign the same role to several users without affecting other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.gkehub.FeatureIamBinding("binding", {
project: feature.project,
location: feature.location,
name: feature.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.gkehub.FeatureIamBinding("binding",
project=feature["project"],
location=feature["location"],
name=feature["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkehub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gkehub.NewFeatureIamBinding(ctx, "binding", &gkehub.FeatureIamBindingArgs{
Project: pulumi.Any(feature.Project),
Location: pulumi.Any(feature.Location),
Name: pulumi.Any(feature.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.GkeHub.FeatureIamBinding("binding", new()
{
Project = feature.Project,
Location = feature.Location,
Name = feature.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gkehub.FeatureIamBinding;
import com.pulumi.gcp.gkehub.FeatureIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new FeatureIamBinding("binding", FeatureIamBindingArgs.builder()
.project(feature.project())
.location(feature.location())
.name(feature.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:gkehub:FeatureIamBinding
properties:
project: ${feature.project}
location: ${feature.location}
name: ${feature.name}
role: roles/viewer
members:
- user:jane@example.com
The FeatureIamBinding resource grants a role to a list of members. This is authoritative for the specified role: it replaces all members for that role but preserves other roles on the feature. The members array accepts user accounts, service accounts, groups, and domains.
Add a single member to a role incrementally
To grant access to one user without disturbing existing permissions, add individual members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.gkehub.FeatureIamMember("member", {
project: feature.project,
location: feature.location,
name: feature.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.gkehub.FeatureIamMember("member",
project=feature["project"],
location=feature["location"],
name=feature["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/gkehub"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := gkehub.NewFeatureIamMember(ctx, "member", &gkehub.FeatureIamMemberArgs{
Project: pulumi.Any(feature.Project),
Location: pulumi.Any(feature.Location),
Name: pulumi.Any(feature.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.GkeHub.FeatureIamMember("member", new()
{
Project = feature.Project,
Location = feature.Location,
Name = feature.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.gkehub.FeatureIamMember;
import com.pulumi.gcp.gkehub.FeatureIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new FeatureIamMember("member", FeatureIamMemberArgs.builder()
.project(feature.project())
.location(feature.location())
.name(feature.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:gkehub:FeatureIamMember
properties:
project: ${feature.project}
location: ${feature.location}
name: ${feature.name}
role: roles/viewer
member: user:jane@example.com
The FeatureIamMember resource is non-authoritative: it adds one member to a role without affecting other members who already have that role. Use this when multiple teams manage access independently or when you need to grant permissions incrementally.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative and incremental policy management, and role-based access control for GKE Hub features. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as GKE Hub features (identified by project, location, and name). They focus on configuring IAM policies rather than provisioning the features themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions
- Service account creation and management
- Audit logging configuration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the GKE Hub FeatureIamPolicy resource reference for all available configuration options.
Let's manage GCP GKE Hub Feature IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Conflicts & Compatibility
gcp.gkehub.FeatureIamPolicy cannot be used together with gcp.gkehub.FeatureIamBinding or gcp.gkehub.FeatureIamMember because they will conflict over the policy configuration.Resource Selection & Usage
gcp.gkehub.FeatureIamPolicy for full policy control (replaces entire policy). Use gcp.gkehub.FeatureIamBinding to manage all members for a specific role (preserves other roles). Use gcp.gkehub.FeatureIamMember to add individual members to a role (preserves other members).gcp.organizations.getIAMPolicy data source to generate the policy data, then pass it to the policyData property.gcp.gkehub.FeatureIamBinding uses members (plural) to assign multiple members to a role. gcp.gkehub.FeatureIamMember uses member (singular) to assign one member at a time.Configuration & Import
location and project can be parsed from the parent resource identifier or taken from the provider configuration if not explicitly specified.projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.