Manage GCP Identity-Aware Proxy IAM for Cloud Run

The gcp:iap/webCloudRunServiceIamMember:WebCloudRunServiceIamMember resource, part of the Pulumi GCP provider, grants IAM roles to individual members for Cloud Run services protected by Identity-Aware Proxy. Unlike authoritative resources that replace entire policies, this resource preserves other existing role grants. This guide focuses on three capabilities: single-member grants, time-based access with IAM Conditions, and multi-member role binding.

IAM resources for IAP-protected Cloud Run services reference existing services with IAP already enabled. The examples are intentionally small. Combine them with your own Cloud Run deployments and IAP configuration.

Grant access to a single user

Most IAP configurations start by granting individual users access to services behind Identity-Aware Proxy without affecting other members who already have the same role.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.iap.WebCloudRunServiceIamMember("member", {
    project: _default.project,
    location: _default.location,
    cloudRunServiceName: _default.name,
    role: "roles/iap.httpsResourceAccessor",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.WebCloudRunServiceIamMember("member",
    project=default["project"],
    location=default["location"],
    cloud_run_service_name=default["name"],
    role="roles/iap.httpsResourceAccessor",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebCloudRunServiceIamMember(ctx, "member", &iap.WebCloudRunServiceIamMemberArgs{
			Project:             pulumi.Any(_default.Project),
			Location:            pulumi.Any(_default.Location),
			CloudRunServiceName: pulumi.Any(_default.Name),
			Role:                pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:              pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Iap.WebCloudRunServiceIamMember("member", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        CloudRunServiceName = @default.Name,
        Role = "roles/iap.httpsResourceAccessor",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebCloudRunServiceIamMember;
import com.pulumi.gcp.iap.WebCloudRunServiceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new WebCloudRunServiceIamMember("member", WebCloudRunServiceIamMemberArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .cloudRunServiceName(default_.name())
            .role("roles/iap.httpsResourceAccessor")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:iap:WebCloudRunServiceIamMember
    properties:
      project: ${default.project}
      location: ${default.location}
      cloudRunServiceName: ${default.name}
      role: roles/iap.httpsResourceAccessor
      member: user:jane@example.com

The member property specifies the identity receiving access, using the format “user:email@example.com”. The role property defines the permission level; “roles/iap.httpsResourceAccessor” allows HTTPS access through IAP. The cloudRunServiceName, location, and project properties identify which Cloud Run service to protect. This non-authoritative resource adds the member without removing others already granted the same role.

Grant time-limited access with IAM Conditions

Teams providing temporary access for contractors or time-bound projects can attach expiration dates to role grants using IAM Conditions.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.iap.WebCloudRunServiceIamMember("member", {
    project: _default.project,
    location: _default.location,
    cloudRunServiceName: _default.name,
    role: "roles/iap.httpsResourceAccessor",
    member: "user:jane@example.com",
    condition: {
        title: "expires_after_2019_12_31",
        description: "Expiring at midnight of 2019-12-31",
        expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    },
});

import pulumi
import pulumi_gcp as gcp

member = gcp.iap.WebCloudRunServiceIamMember("member",
    project=default["project"],
    location=default["location"],
    cloud_run_service_name=default["name"],
    role="roles/iap.httpsResourceAccessor",
    member="user:jane@example.com",
    condition={
        "title": "expires_after_2019_12_31",
        "description": "Expiring at midnight of 2019-12-31",
        "expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
    })

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebCloudRunServiceIamMember(ctx, "member", &iap.WebCloudRunServiceIamMemberArgs{
			Project:             pulumi.Any(_default.Project),
			Location:            pulumi.Any(_default.Location),
			CloudRunServiceName: pulumi.Any(_default.Name),
			Role:                pulumi.String("roles/iap.httpsResourceAccessor"),
			Member:              pulumi.String("user:jane@example.com"),
			Condition: &iap.WebCloudRunServiceIamMemberConditionArgs{
				Title:       pulumi.String("expires_after_2019_12_31"),
				Description: pulumi.String("Expiring at midnight of 2019-12-31"),
				Expression:  pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Iap.WebCloudRunServiceIamMember("member", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        CloudRunServiceName = @default.Name,
        Role = "roles/iap.httpsResourceAccessor",
        Member = "user:jane@example.com",
        Condition = new Gcp.Iap.Inputs.WebCloudRunServiceIamMemberConditionArgs
        {
            Title = "expires_after_2019_12_31",
            Description = "Expiring at midnight of 2019-12-31",
            Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebCloudRunServiceIamMember;
import com.pulumi.gcp.iap.WebCloudRunServiceIamMemberArgs;
import com.pulumi.gcp.iap.inputs.WebCloudRunServiceIamMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new WebCloudRunServiceIamMember("member", WebCloudRunServiceIamMemberArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .cloudRunServiceName(default_.name())
            .role("roles/iap.httpsResourceAccessor")
            .member("user:jane@example.com")
            .condition(WebCloudRunServiceIamMemberConditionArgs.builder()
                .title("expires_after_2019_12_31")
                .description("Expiring at midnight of 2019-12-31")
                .expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
                .build())
            .build());

    }
}

resources:
  member:
    type: gcp:iap:WebCloudRunServiceIamMember
    properties:
      project: ${default.project}
      location: ${default.location}
      cloudRunServiceName: ${default.name}
      role: roles/iap.httpsResourceAccessor
      member: user:jane@example.com
      condition:
        title: expires_after_2019_12_31
        description: Expiring at midnight of 2019-12-31
        expression: request.time < timestamp("2020-01-01T00:00:00Z")

The condition block adds temporal constraints to the role grant. The expression property uses CEL (Common Expression Language) to define when access is valid; here, access expires at midnight on 2020-01-01. The title and description properties document the condition’s purpose. When the condition evaluates to false, the member loses access automatically without manual revocation.

Grant a role to multiple users at once

When several users need identical access, binding a role to a list of members is more efficient than creating separate member resources.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.iap.WebCloudRunServiceIamBinding("binding", {
    project: _default.project,
    location: _default.location,
    cloudRunServiceName: _default.name,
    role: "roles/iap.httpsResourceAccessor",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.iap.WebCloudRunServiceIamBinding("binding",
    project=default["project"],
    location=default["location"],
    cloud_run_service_name=default["name"],
    role="roles/iap.httpsResourceAccessor",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := iap.NewWebCloudRunServiceIamBinding(ctx, "binding", &iap.WebCloudRunServiceIamBindingArgs{
			Project:             pulumi.Any(_default.Project),
			Location:            pulumi.Any(_default.Location),
			CloudRunServiceName: pulumi.Any(_default.Name),
			Role:                pulumi.String("roles/iap.httpsResourceAccessor"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Iap.WebCloudRunServiceIamBinding("binding", new()
    {
        Project = @default.Project,
        Location = @default.Location,
        CloudRunServiceName = @default.Name,
        Role = "roles/iap.httpsResourceAccessor",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebCloudRunServiceIamBinding;
import com.pulumi.gcp.iap.WebCloudRunServiceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new WebCloudRunServiceIamBinding("binding", WebCloudRunServiceIamBindingArgs.builder()
            .project(default_.project())
            .location(default_.location())
            .cloudRunServiceName(default_.name())
            .role("roles/iap.httpsResourceAccessor")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:iap:WebCloudRunServiceIamBinding
    properties:
      project: ${default.project}
      location: ${default.location}
      cloudRunServiceName: ${default.name}
      role: roles/iap.httpsResourceAccessor
      members:
        - user:jane@example.com

The WebCloudRunServiceIamBinding resource grants a role to multiple members simultaneously. The members property accepts a list of identities in various formats: individual users, service accounts, groups, or special identifiers like “allAuthenticatedUsers”. This binding is authoritative for the specified role, meaning it replaces all existing members for that role while preserving other roles on the service.

Beyond these examples

These snippets focus on specific IAM binding features: single-member and multi-member role grants, IAM Conditions for time-based access, and non-authoritative vs authoritative binding patterns. They’re intentionally minimal rather than complete access control configurations.

The examples reference pre-existing infrastructure such as Cloud Run services with IAP enabled, and a GCP project with appropriate IAM permissions. They focus on granting access rather than provisioning the underlying services.

To keep things focused, common IAM patterns are omitted, including:

Full policy replacement (WebCloudRunServiceIamPolicy)
Service account and group identities
Federated identity and workload identity pool principals
Custom role definitions and organizational roles

These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the IAP WebCloudRunServiceIamMember resource reference for all available configuration options.

Let's manage GCP Identity-Aware Proxy IAM for Cloud Run

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Resource Selection & Conflicts

What's the difference between IamPolicy, IamBinding, and IamMember?

IamPolicy is authoritative and replaces the entire IAM policy. IamBinding is authoritative for a specific role, managing all members for that role while preserving other roles. IamMember is non-authoritative, adding a single member to a role without affecting other members.

Can I use IamPolicy with IamBinding or IamMember?

No, IamPolicy cannot be used with IamBinding or IamMember as they will conflict over policy management. Choose one approach for your resource.

Can I use IamBinding and IamMember together?

Yes, but only if they don’t grant privileges to the same role. Each role must be managed by either IamBinding or IamMember, not both.

IAM Configuration

What identity formats can I use for the member parameter?

You can use allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, or federated identities like principal://iam.googleapis.com/locations/global/workforcePools/example-contractors/subject/joe@example.com.

How do I specify a custom role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role.

How do I add IAM Conditions to my binding?

Add a condition block with title, description, and expression. For example, to create a time-based condition, use expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")".

What are the limitations of IAM Conditions?

IAM Conditions have known limitations that may affect functionality. Review the GCP documentation on IAM Conditions limitations if you encounter issues.

Resource Management

Can I update the member, role, or other properties after creation?

No, all properties (cloudRunServiceName, location, member, project, role, and condition) are immutable. You must recreate the resource to change these values.

What formats can I use when importing this resource?

You can import using projects/{{project}}/iap_web/cloud_run-{{location}}/services/{{name}}, {{project}}/{{location}}/{{name}}, {{location}}/{{name}}, or just {{name}}. For IamMember, include the role and member identity separated by spaces.

Using a different cloud?

Explore security guides for other cloud providers:

AWS Guides Azure Guides