The gcp:healthcare/fhirStoreIamMember:FhirStoreIamMember resource, part of the Pulumi GCP provider, grants IAM permissions to FHIR stores by adding individual members to roles without affecting other permissions. This guide focuses on three capabilities: incremental member grants (FhirStoreIamMember), authoritative role bindings (FhirStoreIamBinding), and complete policy replacement (FhirStoreIamPolicy).
These resources reference existing FHIR stores and Google Cloud identities. They differ in how they modify the IAM policy: FhirStoreIamMember adds one member incrementally, FhirStoreIamBinding replaces all members for a specific role, and FhirStoreIamPolicy replaces the entire policy. The examples are intentionally small. Combine them with your own FHIR store references and identity management strategy.
Grant a role to a single member incrementally
Most access control changes involve adding one user or service account without affecting other members who already have access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamMember("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamMember("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamMember(ctx, "fhir_store", &healthcare.FhirStoreIamMemberArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamMember("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamMember;
import com.pulumi.gcp.healthcare.FhirStoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamMember("fhirStore", FhirStoreIamMemberArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamMember
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
member: user:jane@example.com
The FhirStoreIamMember resource adds a single member to a role. The member property specifies the identity (user:, serviceAccount:, group:, or domain:), and the role property defines the permission level. Other members with the same role remain unchanged, making this the safest option for incremental grants.
Grant a role to multiple members at once
When onboarding a team or establishing group access, you can grant a role to multiple members in a single binding.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamBinding("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamBinding("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamBinding(ctx, "fhir_store", &healthcare.FhirStoreIamBindingArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamBinding("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamBinding;
import com.pulumi.gcp.healthcare.FhirStoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamBinding("fhirStore", FhirStoreIamBindingArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamBinding
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
members:
- user:jane@example.com
The FhirStoreIamBinding resource sets the complete member list for a specific role. The members property takes an array of identities. This binding is authoritative for its role: it replaces any previous members for that role, but leaves other roles untouched. Use this when you want to manage all members for a role together.
Replace the entire IAM policy for a FHIR store
When migrating FHIR stores or establishing initial access control, teams sometimes need to set the complete IAM policy in one operation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/editor",
members: ["user:jane@example.com"],
}],
});
const fhirStore = new gcp.healthcare.FhirStoreIamPolicy("fhir_store", {
fhirStoreId: "your-fhir-store-id",
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/editor",
"members": ["user:jane@example.com"],
}])
fhir_store = gcp.healthcare.FhirStoreIamPolicy("fhir_store",
fhir_store_id="your-fhir-store-id",
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/editor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = healthcare.NewFhirStoreIamPolicy(ctx, "fhir_store", &healthcare.FhirStoreIamPolicyArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var fhirStore = new Gcp.Healthcare.FhirStoreIamPolicy("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.healthcare.FhirStoreIamPolicy;
import com.pulumi.gcp.healthcare.FhirStoreIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/editor")
.members("user:jane@example.com")
.build())
.build());
var fhirStore = new FhirStoreIamPolicy("fhirStore", FhirStoreIamPolicyArgs.builder()
.fhirStoreId("your-fhir-store-id")
.policyData(admin.policyData())
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamPolicy
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/editor
members:
- user:jane@example.com
The FhirStoreIamPolicy resource replaces the entire IAM policy. The policyData property comes from getIAMPolicy, which defines all roles and members. This is authoritative: it removes any existing bindings not included in the policy. Use this for initial setup or when you need complete control over all permissions.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs incremental IAM management, and single-member and multi-member role grants. They’re intentionally minimal rather than full access control solutions.
The examples reference pre-existing infrastructure such as FHIR stores (by ID) and Google Cloud identities (users, service accounts, groups). They focus on granting permissions rather than provisioning the FHIR stores themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Custom role definitions and formatting
- IAM policy conflict resolution between resource types
These omissions are intentional: the goal is to illustrate how each IAM resource type modifies permissions, not provide drop-in access control modules. See the FHIR Store IAM Member resource reference for all available configuration options.
Let's manage GCP Healthcare FHIR Store IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
FhirStoreIamPolicy is authoritative and replaces the entire IAM policy. FhirStoreIamBinding is authoritative for a specific role but preserves other roles. FhirStoreIamMember is non-authoritative and preserves other members for the same role.FhirStoreIamPolicy cannot be used with FhirStoreIamBinding or FhirStoreIamMember, as they will conflict. However, FhirStoreIamBinding and FhirStoreIamMember can be used together only if they don’t grant privileges to the same role.FhirStoreIamPolicy if you need full control over the entire policy. Use FhirStoreIamBinding to manage all members for a specific role. Use FhirStoreIamMember to add individual members without affecting existing ones.Configuration & Formats
[projects|organizations]/{parent-name}/roles/{role-name}.allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, or domain:{domain}.{project_id}/{location_name}/{dataset_name}/{fhir_store_name} or {location_name}/{dataset_name}/{fhir_store_name}. The shorter format uses your provider’s project setting as a fallback.Beta & Provider Requirements
terraform-provider-google-beta provider.