The gcp:healthcare/fhirStoreIamBinding:FhirStoreIamBinding resource, part of the Pulumi Google Cloud provider, manages IAM role bindings for Healthcare FHIR stores by controlling which identities have specific roles. This guide focuses on two capabilities: granting roles to multiple members and adding individual members to roles.
FhirStoreIamBinding is authoritative for a given role, meaning it replaces all members for that role. It can be used alongside FhirStoreIamMember (which adds individual members non-authoritatively) but cannot be combined with FhirStoreIamPolicy. The examples are intentionally small. Combine them with your own FHIR store infrastructure and identity management.
Grant a role to multiple members
Teams managing FHIR store access often need to grant the same role to multiple users, service accounts, or groups.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamBinding("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamBinding("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamBinding(ctx, "fhir_store", &healthcare.FhirStoreIamBindingArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamBinding("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamBinding;
import com.pulumi.gcp.healthcare.FhirStoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamBinding("fhirStore", FhirStoreIamBindingArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamBinding
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
members:
- user:jane@example.com
The fhirStoreId property identifies the FHIR store using the format {project}/{location}/{dataset}/{store}. The role property specifies which role to grant (e.g., roles/editor). The members array lists all identities that should have this role; FhirStoreIamBinding replaces any existing members for this role with this exact list.
Add a single member to a role
When you need to grant access to one additional user without affecting other members, FhirStoreIamMember adds that user while preserving existing grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const fhirStore = new gcp.healthcare.FhirStoreIamMember("fhir_store", {
fhirStoreId: "your-fhir-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
fhir_store = gcp.healthcare.FhirStoreIamMember("fhir_store",
fhir_store_id="your-fhir-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewFhirStoreIamMember(ctx, "fhir_store", &healthcare.FhirStoreIamMemberArgs{
FhirStoreId: pulumi.String("your-fhir-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var fhirStore = new Gcp.Healthcare.FhirStoreIamMember("fhir_store", new()
{
FhirStoreId = "your-fhir-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.FhirStoreIamMember;
import com.pulumi.gcp.healthcare.FhirStoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var fhirStore = new FhirStoreIamMember("fhirStore", FhirStoreIamMemberArgs.builder()
.fhirStoreId("your-fhir-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
fhirStore:
type: gcp:healthcare:FhirStoreIamMember
name: fhir_store
properties:
fhirStoreId: your-fhir-store-id
role: roles/editor
member: user:jane@example.com
The member property (singular) specifies one identity to add to the role. Unlike FhirStoreIamBinding, this resource is non-authoritative: it adds the specified member without removing others who already have the role. Use this when you want to grant access incrementally rather than managing the complete member list.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and member identity formats. They’re intentionally minimal rather than full access management solutions.
The examples reference pre-existing infrastructure such as FHIR stores (by ID), and the Google Cloud project, location, and dataset hierarchy. They focus on configuring access rather than provisioning the FHIR store itself.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (FhirStoreIamPolicy)
- Custom role definitions
- Service account creation
These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the FhirStoreIamBinding resource reference for all available configuration options.
Let's manage GCP Healthcare FHIR Store IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
FhirStoreIamPolicy is authoritative and replaces the entire IAM policy. FhirStoreIamBinding is authoritative for a specific role, preserving other roles. FhirStoreIamMember is non-authoritative, adding a single member while preserving other members for that role.FhirStoreIamPolicy cannot be used with FhirStoreIamBinding or FhirStoreIamMember because they will conflict over what the policy should be.Configuration & Formats
[projects|organizations]/{parent-name}/roles/{role-name}, for example projects/my-project/roles/my-custom-role.allUsers, allAuthenticatedUsers, user:{emailid}, serviceAccount:{emailid}, group:{emailid}, or domain:{domain}. For example: user:jane@example.com or serviceAccount:my-app@appspot.gserviceaccount.com.{project_id}/{location_name}/{dataset_name}/{fhir_store_name} or the shorter {location_name}/{dataset_name}/{fhir_store_name} (which uses your provider’s project setting as fallback).Immutability & Limitations
fhirStoreId, role, and condition properties are immutable and cannot be changed after creation.