Manage GCP Cloud Healthcare Consent Store IAM Bindings

The gcp:healthcare/consentStoreIamBinding:ConsentStoreIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud Healthcare consent stores. This guide focuses on two capabilities: authoritative role binding for multiple members and non-authoritative single member addition.

IAM bindings reference existing consent stores within Healthcare datasets. The examples are intentionally small. Combine them with your own consent store infrastructure and identity management.

Grant a role to multiple members at once

Teams managing consent stores often need to grant the same role to multiple users or service accounts.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.healthcare.ConsentStoreIamBinding("binding", {
    dataset: my_consent.dataset,
    consentStoreId: my_consent.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.healthcare.ConsentStoreIamBinding("binding",
    dataset=my_consent["dataset"],
    consent_store_id=my_consent["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := healthcare.NewConsentStoreIamBinding(ctx, "binding", &healthcare.ConsentStoreIamBindingArgs{
			Dataset:        pulumi.Any(my_consent.Dataset),
			ConsentStoreId: pulumi.Any(my_consent.Name),
			Role:           pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Healthcare.ConsentStoreIamBinding("binding", new()
    {
        Dataset = my_consent.Dataset,
        ConsentStoreId = my_consent.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.ConsentStoreIamBinding;
import com.pulumi.gcp.healthcare.ConsentStoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new ConsentStoreIamBinding("binding", ConsentStoreIamBindingArgs.builder()
            .dataset(my_consent.dataset())
            .consentStoreId(my_consent.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:healthcare:ConsentStoreIamBinding
    properties:
      dataset: ${["my-consent"].dataset}
      consentStoreId: ${["my-consent"].name}
      role: roles/viewer
      members:
        - user:jane@example.com

The role property specifies which IAM role to grant (e.g., “roles/viewer”). The members array lists all identities that should have this role. ConsentStoreIamBinding is authoritative for the specified role: it replaces any existing members for that role. The consentStoreId and dataset properties identify which consent store to configure.

Add individual members without affecting others

When you need to grant access to one person without modifying existing permissions, ConsentStoreIamMember adds a single member non-authoritatively.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.healthcare.ConsentStoreIamMember("member", {
    dataset: my_consent.dataset,
    consentStoreId: my_consent.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.healthcare.ConsentStoreIamMember("member",
    dataset=my_consent["dataset"],
    consent_store_id=my_consent["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := healthcare.NewConsentStoreIamMember(ctx, "member", &healthcare.ConsentStoreIamMemberArgs{
			Dataset:        pulumi.Any(my_consent.Dataset),
			ConsentStoreId: pulumi.Any(my_consent.Name),
			Role:           pulumi.String("roles/viewer"),
			Member:         pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Healthcare.ConsentStoreIamMember("member", new()
    {
        Dataset = my_consent.Dataset,
        ConsentStoreId = my_consent.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.ConsentStoreIamMember;
import com.pulumi.gcp.healthcare.ConsentStoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new ConsentStoreIamMember("member", ConsentStoreIamMemberArgs.builder()
            .dataset(my_consent.dataset())
            .consentStoreId(my_consent.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:healthcare:ConsentStoreIamMember
    properties:
      dataset: ${["my-consent"].dataset}
      consentStoreId: ${["my-consent"].name}
      role: roles/viewer
      member: user:jane@example.com

The member property specifies a single identity to add (note the singular form, unlike the members array in ConsentStoreIamBinding). This resource is non-authoritative: it adds the specified member to the role without removing other members. Use this when you want to grant access incrementally without managing the complete member list.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and authoritative vs non-authoritative member management. They’re intentionally minimal rather than full access control configurations.

The examples reference pre-existing infrastructure such as Healthcare datasets and consent stores. They focus on configuring IAM bindings rather than provisioning the underlying consent store infrastructure.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Full policy management (ConsentStoreIamPolicy)
Custom role definitions
Federated identity configuration

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the ConsentStoreIamBinding resource reference for all available configuration options.

Let's manage GCP Cloud Healthcare Consent Store IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Conflicts & Compatibility

Can I use ConsentStoreIamPolicy with ConsentStoreIamBinding or ConsentStoreIamMember?

No, ConsentStoreIamPolicy cannot be used together with ConsentStoreIamBinding or ConsentStoreIamMember because they will conflict over the IAM policy. Use ConsentStoreIamPolicy alone for full policy control, or use ConsentStoreIamBinding and ConsentStoreIamMember without ConsentStoreIamPolicy.

Can I use ConsentStoreIamBinding and ConsentStoreIamMember together?

Yes, but only if they manage different roles. ConsentStoreIamBinding and ConsentStoreIamMember will conflict if they both grant privileges to the same role.

Choosing the Right IAM Resource

What's the difference between ConsentStoreIamPolicy, ConsentStoreIamBinding, and ConsentStoreIamMember?

ConsentStoreIamPolicy is authoritative and replaces the entire IAM policy. ConsentStoreIamBinding is authoritative for a specific role, updating the member list for that role while preserving other roles. ConsentStoreIamMember is non-authoritative, adding a single member to a role while preserving other members for that role.

When should I use ConsentStoreIamBinding vs ConsentStoreIamMember?

Use ConsentStoreIamBinding when you want to manage the complete list of members for a role. Use ConsentStoreIamMember when you want to add individual members without affecting other members for that role.

Configuration & Formatting

How do I format custom role names?

Custom roles must use the full name format: [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.

What member identity formats are supported?

Supported formats include user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, allUsers, allAuthenticatedUsers, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities like principal://iam.googleapis.com/....

What properties are immutable after creation?

The consentStoreId, dataset, role, and condition properties are immutable and cannot be changed after the resource is created.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides