Manage GCP Identity-Aware Proxy IAM Bindings

The gcp:iap/appEngineVersionIamBinding:AppEngineVersionIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Identity-Aware Proxy protected App Engine versions. This resource controls which identities can access specific application versions. This guide focuses on three capabilities: authoritative role bindings for multiple members, time-based access with IAM Conditions, and non-authoritative member grants.

IAM bindings reference existing App Engine versions that must be deployed and IAP-enabled. The examples are intentionally small. Combine them with your own App Engine infrastructure and identity management strategy.

Grant a role to multiple members with IamBinding

Teams managing IAP access often grant the same role to multiple users or service accounts at once, maintaining authoritative control over who has that specific role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.iap.AppEngineVersionIamBinding("binding", {
    project: version.project,
    appId: version.project,
    service: version.service,
    versionId: version.versionId,
    role: "roles/iap.httpsResourceAccessor",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    project=version["project"],
    app_id=version["project"],
    service=version["service"],
    version_id=version["versionId"],
    role="roles/iap.httpsResourceAccessor",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Iap.AppEngineVersionIamBinding("binding", new()
    {
        Project = version.Project,
        AppId = version.Project,
        Service = version.Service,
        VersionId = version.VersionId,
        Role = "roles/iap.httpsResourceAccessor",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.AppEngineVersionIamBinding;
import com.pulumi.gcp.iap.AppEngineVersionIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new AppEngineVersionIamBinding("binding", AppEngineVersionIamBindingArgs.builder()
            .project(version.project())
            .appId(version.project())
            .service(version.service())
            .versionId(version.versionId())
            .role("roles/iap.httpsResourceAccessor")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:iap:AppEngineVersionIamBinding
    properties:
      project: ${version.project}
      appId: ${version.project}
      service: ${version.service}
      versionId: ${version.versionId}
      role: roles/iap.httpsResourceAccessor
      members:
        - user:jane@example.com

The IamBinding resource is authoritative for the specified role. The members array lists all identities that should have the role; any members not in this list lose access. The role property specifies which IAP permission to grant (here, httpsResourceAccessor allows HTTPS access to the protected resource). The appId, service, and versionId properties identify which App Engine version to protect.

Add time-based access with IAM Conditions

Access requirements often include expiration dates for temporary contractors or time-limited projects.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.iap.AppEngineVersionIamBinding("binding", {
    project: version.project,
    appId: version.project,
    service: version.service,
    versionId: version.versionId,
    role: "roles/iap.httpsResourceAccessor",
    members: ["user:jane@example.com"],
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.AppEngineVersionIamBinding("binding",
    project=version["project"],
    app_id=version["project"],
    service=version["service"],
    version_id=version["versionId"],
    role="roles/iap.httpsResourceAccessor",
    members=["user:jane@example.com"],
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamBinding(ctx, "binding", &iap.AppEngineVersionIamBindingArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
			Condition: &iap.AppEngineVersionIamBindingConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Iap.AppEngineVersionIamBinding("binding", new()
    {
        Project = version.Project,
        AppId = version.Project,
        Service = version.Service,
        VersionId = version.VersionId,
        Role = "roles/iap.httpsResourceAccessor",
        Members = new[]
        {
            "user:jane@example.com",
        },
        Condition = new Gcp.Iap.Inputs.AppEngineVersionIamBindingConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.AppEngineVersionIamBinding;
import com.pulumi.gcp.iap.AppEngineVersionIamBindingArgs;
import com.pulumi.gcp.iap.inputs.AppEngineVersionIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new AppEngineVersionIamBinding("binding", AppEngineVersionIamBindingArgs.builder()
            .project(version.project())
            .appId(version.project())
            .service(version.service())
            .versionId(version.versionId())
            .role("roles/iap.httpsResourceAccessor")
            .members("user:jane@example.com")
            .condition(AppEngineVersionIamBindingConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());

    }
}

resources:
  binding:
    type: gcp:iap:AppEngineVersionIamBinding
    properties:
      project: ${version.project}
      appId: ${version.project}
      service: ${version.service}
      versionId: ${version.versionId}
      role: roles/iap.httpsResourceAccessor
      members:
        - user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

IAM Conditions attach temporal or attribute-based constraints to role grants. The condition block requires a title for identification, an expression using Common Expression Language (CEL) to define the constraint, and an optional description. Here, the expression checks that the current request time is before midnight on January 1, 2020. When the condition evaluates to false, the role grant no longer applies.

Add individual members without affecting others

When multiple teams manage access independently, non-authoritative member grants prevent conflicts by adding one identity without removing existing members.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.iap.AppEngineVersionIamMember("member", {
    project: version.project,
    appId: version.project,
    service: version.service,
    versionId: version.versionId,
    role: "roles/iap.httpsResourceAccessor",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.AppEngineVersionIamMember("member",
    project=version["project"],
    app_id=version["project"],
    service=version["service"],
    version_id=version["versionId"],
    role="roles/iap.httpsResourceAccessor",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewAppEngineVersionIamMember(ctx, "member", &iap.AppEngineVersionIamMemberArgs{
			Project:   pulumi.Any(version.Project),
			AppId:     pulumi.Any(version.Project),
			Service:   pulumi.Any(version.Service),
			VersionId: pulumi.Any(version.VersionId),
			Role:      pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:    pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Iap.AppEngineVersionIamMember("member", new()
    {
        Project = version.Project,
        AppId = version.Project,
        Service = version.Service,
        VersionId = version.VersionId,
        Role = "roles/iap.httpsResourceAccessor",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.AppEngineVersionIamMember;
import com.pulumi.gcp.iap.AppEngineVersionIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new AppEngineVersionIamMember("member", AppEngineVersionIamMemberArgs.builder()
            .project(version.project())
            .appId(version.project())
            .service(version.service())
            .versionId(version.versionId())
            .role("roles/iap.httpsResourceAccessor")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:iap:AppEngineVersionIamMember
    properties:
      project: ${version.project}
      appId: ${version.project}
      service: ${version.service}
      versionId: ${version.versionId}
      role: roles/iap.httpsResourceAccessor
      member: user:jane@example.com

The IamMember resource is non-authoritative: it adds one member to a role without affecting other members. Use this when different teams or automation systems manage access to the same resource. The member property specifies a single identity (here, a user email), while IamBinding’s members property takes an array.

Beyond these examples

These snippets focus on specific IAM binding features: authoritative role bindings, non-authoritative member grants, and time-based access with IAM Conditions. They’re intentionally minimal rather than full access control systems.

The examples reference pre-existing infrastructure such as App Engine applications with deployed versions and IAP-protected App Engine services. They focus on configuring access control rather than provisioning the underlying application infrastructure.

To keep things focused, common IAM patterns are omitted, including:

  • Full policy replacement (IamPolicy resource)
  • Custom role definitions and formatting
  • Federated identity and workload identity pool configuration
  • Policy data retrieval (data source usage)

These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the AppEngineVersionIamBinding resource reference for all available configuration options.

Let's manage GCP Identity-Aware Proxy IAM Bindings

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts
What's the difference between IamPolicy, IamBinding, and IamMember?
AppEngineVersionIamPolicy is authoritative and replaces the entire IAM policy. AppEngineVersionIamBinding is authoritative for a specific role, preserving other roles. AppEngineVersionIamMember is non-authoritative, adding individual members while preserving existing members for that role.
Can I use IamPolicy together with IamBinding or IamMember?
No. AppEngineVersionIamPolicy cannot be used with AppEngineVersionIamBinding or AppEngineVersionIamMember because they will conflict over policy control.
Can I use IamBinding and IamMember together?
Yes, but only if they manage different roles. Using both for the same role causes conflicts.
IAM Configuration
What member identity formats are supported?

The members array supports multiple formats:

  • allUsers - Anyone on the internet
  • allAuthenticatedUsers - Anyone with a Google account
  • user:{emailid} - Specific Google account (e.g., user:alice@gmail.com)
  • serviceAccount:{emailid} - Service account (e.g., serviceAccount:my-app@appspot.gserviceaccount.com)
  • group:{emailid} - Google group (e.g., group:admins@example.com)
  • domain:{domain} - G Suite domain (e.g., domain:example.com)
  • projectOwner:projectid, projectEditor:projectid, projectViewer:projectid - Project-level roles
  • Federated identities (e.g., principal://iam.googleapis.com/locations/global/workforcePools/...)
How do I specify custom IAM roles?
Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name} (e.g., projects/my-project/roles/customRole).
How do I use IAM Conditions, and what are their limitations?
Add a condition block with title, description, and expression (e.g., request.time < timestamp("2020-01-01T00:00:00Z") for time-based access). IAM Conditions have known limitations that should be reviewed in the GCP documentation.
Resource Management
What properties can't be changed after creation?
The following properties are immutable: appId, service, versionId, project, role, and condition. Changing these requires recreating the resource.
What import formats are supported?
You can import using the full resource path (projects/{project}/iap_web/appengine-{appId}/services/{service}/versions/{versionId}), or shorter forms like {project}/{appId}/{service}/{versionId} or {appId}/{service}/{versionId}. Variables not provided are taken from the provider configuration.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides