The gcp:healthcare/hl7StoreIamBinding:Hl7StoreIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Healthcare HL7v2 stores. This resource is authoritative for a given role: it updates the IAM policy to grant a role to a list of members while preserving other roles. This guide focuses on two capabilities: granting roles to multiple members and adding individual members to roles.
This resource manages access to existing HL7v2 stores within Healthcare datasets. The examples are intentionally small. Combine them with your own HL7v2 store infrastructure and identity management.
Grant a role to multiple members
Healthcare applications often need to grant the same role to multiple users or service accounts, such as giving a team editor access to an HL7v2 store.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamBinding("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamBinding(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamBindingArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamBinding("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamBinding;
import com.pulumi.gcp.healthcare.Hl7StoreIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamBinding("hl7V2Store", Hl7StoreIamBindingArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.members("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamBinding
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
members:
- user:jane@example.com
The hl7V2StoreId property identifies the target store using the format {project_id}/{location}/{dataset}/{hl7_v2_store}. The role property specifies which IAM role to grant, and members lists all identities that receive that role. This binding is authoritative for the specified role: it replaces any existing members for that role while leaving other roles untouched.
Add a single member to a role
When onboarding individual users or service accounts, you can add them to existing roles without affecting other members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const hl7V2Store = new gcp.healthcare.Hl7StoreIamMember("hl7_v2_store", {
hl7V2StoreId: "your-hl7-v2-store-id",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
hl7_v2_store = gcp.healthcare.Hl7StoreIamMember("hl7_v2_store",
hl7_v2_store_id="your-hl7-v2-store-id",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/healthcare"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := healthcare.NewHl7StoreIamMember(ctx, "hl7_v2_store", &healthcare.Hl7StoreIamMemberArgs{
Hl7V2StoreId: pulumi.String("your-hl7-v2-store-id"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var hl7V2Store = new Gcp.Healthcare.Hl7StoreIamMember("hl7_v2_store", new()
{
Hl7V2StoreId = "your-hl7-v2-store-id",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.healthcare.Hl7StoreIamMember;
import com.pulumi.gcp.healthcare.Hl7StoreIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var hl7V2Store = new Hl7StoreIamMember("hl7V2Store", Hl7StoreIamMemberArgs.builder()
.hl7V2StoreId("your-hl7-v2-store-id")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
hl7V2Store:
type: gcp:healthcare:Hl7StoreIamMember
name: hl7_v2_store
properties:
hl7V2StoreId: your-hl7-v2-store-id
role: roles/editor
member: user:jane@example.com
The Hl7StoreIamMember resource adds a single identity to a role non-authoritatively. Unlike Hl7StoreIamBinding, this preserves other members who already have the role. Use member (singular) instead of members (plural) to specify one identity. This approach works well for incremental access grants where you don’t want to manage the complete member list.
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control and member and binding management. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as HL7v2 stores in Healthcare datasets. They focus on configuring access rather than provisioning the stores themselves.
To keep things focused, common IAM patterns are omitted, including:
- Conditional IAM bindings (condition property)
- Policy-level management (Hl7StoreIamPolicy)
- Custom role definitions
- Service account creation and management
These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the Hl7StoreIamBinding resource reference for all available configuration options.
Let's manage GCP Healthcare HL7 Store IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Hl7StoreIamPolicy is authoritative for the entire IAM policy and replaces any existing policy. Hl7StoreIamBinding is authoritative for a specific role, updating members for that role while preserving other roles. Hl7StoreIamMember is non-authoritative, adding a single member to a role while preserving other members.Hl7StoreIamPolicy cannot be used with Hl7StoreIamBinding or Hl7StoreIamMember because they will conflict over policy management. Choose one approach: use IamPolicy alone for full control, or use IamBinding/IamMember for granular management.Configuration & Identity Management
allUsers (anyone on the internet), allAuthenticatedUsers (anyone with a Google account), user:{email} (specific Google account), serviceAccount:{email} (service account), group:{email} (Google group), or domain:{domain} (G Suite domain).[projects|organizations]/{parent-name}/roles/{role-name}.{location}/{dataset}/{store} format instead of the full {project_id}/{location}/{dataset}/{store} path. The provider’s project setting will be used as a fallback for the project ID.Immutability & Limitations
hl7V2StoreId, role, and condition properties are immutable and cannot be changed after the resource is created.