The gcp:healthcare/fhirStoreIamBinding:FhirStoreIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Healthcare FHIR stores by controlling which members have specific roles. This guide focuses on two capabilities: authoritative role binding that replaces all members for a role, and non-authoritative member grants that add members without removing others.
FHIR store IAM resources reference an existing FHIR store by ID. FhirStoreIamBinding is authoritative for a single role, meaning it replaces the complete member list. It can work alongside FhirStoreIamMember for different roles, but cannot be used with FhirStoreIamPolicy, which replaces the entire policy. The examples are intentionally small. Combine them with your own FHIR store infrastructure and service accounts.
Grant a role to multiple members authoritatively
Teams managing FHIR store access often need to grant a specific role to a group of users or service accounts, ensuring that exactly the specified members have the role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamBinding("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamBinding("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamBinding(ctx, "fhir_store", &healthcare.FhirStoreIamBindingArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamBinding("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamBinding;
import com.pulumi.gcp.healthcare.FhirStoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamBinding("fhirStore", FhirStoreIamBindingArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamBinding
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
members:
- user:jane@example.com
The fhirStoreId property identifies the FHIR store using the format {project_id}/{location}/{dataset}/{fhir_store}. The role property specifies which IAM role to grant. The members array lists all identities that should have this role; FhirStoreIamBinding removes any other members who previously had the role but aren’t in this list.
Add a single member to a role non-authoritatively
When multiple teams manage access to the same FHIR store, non-authoritative grants prevent conflicts by adding members without removing others.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamMember("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamMember("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamMember(ctx, "fhir_store", &healthcare.FhirStoreIamMemberArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamMember("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamMember;
import com.pulumi.gcp.healthcare.FhirStoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamMember("fhirStore", FhirStoreIamMemberArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamMember
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
member: user:jane@example.com
FhirStoreIamMember uses member (singular) instead of members (plural). It adds the specified identity to the role without affecting other members. This is the alternative to FhirStoreIamBinding when multiple Pulumi stacks or resources need to grant the same role to different users.
Beyond these examples
These snippets focus on specific IAM binding features: authoritative role binding and non-authoritative member grants. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as a FHIR store that must exist in the format {project_id}/{location}/{dataset}/{fhir_store}. They focus on configuring IAM bindings rather than provisioning the FHIR store itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Full policy replacement (FhirStoreIamPolicy)
- Custom role definitions
- Service account creation
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the FHIR Store IAM Binding resource reference for all available configuration options.
Let's manage GCP Healthcare FHIR Store IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
FhirStoreIamPolicy is authoritative and replaces the entire IAM policy. FhirStoreIamBinding is authoritative for a specific role, preserving other roles. FhirStoreIamMember is non-authoritative, adding a single member to a role without affecting other members.FhirStoreIamPolicy cannot be used with FhirStoreIamBinding or FhirStoreIamMember because they will conflict over the policy.Configuration & Identity Management
allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, or domain:{domain} (G Suite primary domain).[projects|organizations]/{parent-name}/roles/{role-name}.{project_id}/{location}/{dataset}/{fhir_store} or {location}/{dataset}/{fhir_store} (the provider’s project setting is used as fallback in the second form).Immutability & Updates
fhirStoreId, role, and condition are all immutable and require resource replacement if changed.