The gcp:healthcare/fhirStoreIamMember:FhirStoreIamMember resource, part of the Pulumi GCP provider, grants a single identity access to a Healthcare FHIR store by adding them to a specific IAM role. This guide focuses on one capability: non-authoritative single-member IAM grants.
This resource is non-authoritative, meaning it adds one member to one role without affecting other members or roles on the FHIR store. The FHIR store itself must already exist. The example is intentionally minimal. Combine it with FhirStoreIamBinding for multi-member grants or use FhirStoreIamPolicy for complete policy replacement.
Grant a single user access to a FHIR store
Most access control begins by granting individual users or service accounts specific roles. FhirStoreIamMember adds one member without changing existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamMember("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamMember("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamMember(ctx, "fhir_store", &healthcare.FhirStoreIamMemberArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamMember("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamMember;
import com.pulumi.gcp.healthcare.FhirStoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamMember("fhirStore", FhirStoreIamMemberArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamMember
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
member: user:jane@example.com
The fhirStoreId property identifies the target FHIR store using the format {project_id}/{location}/{dataset}/{fhir_store}. The role property specifies the IAM role to grant (e.g., roles/editor). The member property identifies who receives access using formats like user:jane@example.com, serviceAccount:app@project.iam.gserviceaccount.com, or group:team@example.com. This resource is additive: it preserves other members with the same role and other roles on the FHIR store.
Beyond these examples
This snippet focuses on single-member IAM grants. It’s intentionally minimal rather than a complete access control solution.
The example references pre-existing infrastructure such as a Healthcare FHIR store (referenced by fhirStoreId) and the Google Cloud project, location, and dataset. It focuses on granting access rather than provisioning the FHIR store itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Multiple members per role (use FhirStoreIamBinding)
- Complete policy replacement (use FhirStoreIamPolicy)
- Service account and group identities
These omissions are intentional: the goal is to illustrate how single-member IAM grants are wired, not provide drop-in access control modules. See the FhirStoreIamMember resource reference for all available configuration options.
Let's manage GCP Healthcare FHIR Store IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
FhirStoreIamPolicy is authoritative and replaces the entire IAM policy. FhirStoreIamBinding is authoritative for a specific role, preserving other roles. FhirStoreIamMember is non-authoritative, adding one member while preserving other members for that role.FhirStoreIamPolicy cannot be used with FhirStoreIamBinding or FhirStoreIamMember because they will conflict over the policy configuration.IAM Configuration
You can use six identity formats:
allUsers- Anyone on the internetallAuthenticatedUsers- Anyone with a Google accountuser:{email}- Specific Google account (e.g., alice@gmail.com)serviceAccount:{email}- Service account (e.g., app@appspot.gserviceaccount.com)group:{email}- Google group (e.g., admins@example.com)domain:{domain}- G Suite domain (e.g., example.com)
[projects|organizations]/{parent-name}/roles/{role-name}.Immutability & Lifecycle
fhirStoreId, member, role, and condition. To change any of these, you must recreate the resource.