The gcp:healthcare/hl7StoreIamMember:Hl7StoreIamMember resource, part of the Pulumi GCP provider, grants IAM roles to individual identities on HL7v2 stores without affecting other role assignments. This guide focuses on two capabilities: single-member role grants and multi-member role bindings.
IAM resources reference existing HL7v2 stores created via gcp.healthcare.Hl7Store and require the Healthcare API to be enabled in your project. The examples are intentionally small. Combine them with your own HL7v2 store infrastructure and identity management.
Grant a role to a single member
Most IAM configurations start by granting a specific role to one identity, preserving existing assignments for other members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamMember("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamMember("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamMember(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamMemberArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamMember("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamMember;
import com.pulumi.gcp.healthcare.Hl7StoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamMember("hl7V2Store", Hl7StoreIamMemberArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamMember
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
member: user:jane@example.com
The member property specifies a single identity using the format user:{email}, serviceAccount:{email}, group:{email}, or special identifiers like allUsers. The role property defines the permission level. This resource is non-authoritative: it adds the member to the role without removing others.
Grant a role to multiple members at once
When multiple identities need the same role, binding them together ensures they’re managed as a group.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamBinding(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamBindingArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamBinding("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamBinding;
import com.pulumi.gcp.healthcare.Hl7StoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamBinding("hl7V2Store", Hl7StoreIamBindingArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamBinding
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
members:
- user:jane@example.com
The members property accepts a list of identities, all receiving the same role. This uses Hl7StoreIamBinding, which is authoritative for the specified role: it replaces any existing members for that role while preserving other roles on the store.
Beyond these examples
These snippets focus on HL7v2 store IAM features: single-member and multi-member role grants. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as HL7v2 stores (created via gcp.healthcare.Hl7Store) and Google Cloud projects with Healthcare API enabled. They focus on granting access rather than provisioning the underlying healthcare infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (Hl7StoreIamPolicy resource)
- Custom role definitions
These omissions are intentional: the goal is to illustrate how IAM grants are wired to HL7v2 stores, not provide drop-in access control modules. See the Hl7StoreIamMember resource reference for all available configuration options.
Let's manage GCP Healthcare HL7 Store IAM Access
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Hl7StoreIamPolicy cannot be used with Hl7StoreIamBinding or Hl7StoreIamMember as they will conflict. However, Hl7StoreIamBinding and Hl7StoreIamMember can be used together only if they don’t grant the same role.Hl7StoreIamPolicy is fully authoritative and replaces the entire IAM policy. Hl7StoreIamBinding is authoritative for a specific role, preserving other roles. Hl7StoreIamMember is non-authoritative, adding a single member while preserving other members for that role.Hl7StoreIamPolicy with Hl7StoreIamBinding or Hl7StoreIamMember causes them to fight over policy control. Use either IamPolicy alone or combine IamBinding/IamMember for different roles.Configuration & Identity Management
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, or domain:{domain}.[projects|organizations]/{parent-name}/roles/{role-name}.{project_id}/{location}/{dataset}/{store} or the short form {location}/{dataset}/{store}, which uses your provider’s project setting as a fallback.