The gcp:iap/tunnelDestGroupIamMember:TunnelDestGroupIamMember resource, part of the Pulumi GCP provider, grants IAM roles to individual members on IAP tunnel destination groups without replacing other members. This guide focuses on three capabilities: single-user role grants, multi-user role bindings, and time-limited access with IAM Conditions.
IAM resources for tunnel destination groups come in three variants: TunnelDestGroupIamPolicy (authoritative for all roles), TunnelDestGroupIamBinding (authoritative for one role), and TunnelDestGroupIamMember (non-authoritative for one member). The examples are intentionally small. Combine them with your own tunnel destination groups and access policies.
Grant tunnel access to a single user
Most IAP tunnel access starts by adding individual users to a destination group without affecting other members.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.TunnelDestGroupIamMember("member", {
project: destGroup.project,
region: destGroup.region,
destGroup: destGroup.groupName,
role: "roles/iap.tunnelResourceAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.TunnelDestGroupIamMember("member",
project=dest_group["project"],
region=dest_group["region"],
dest_group=dest_group["groupName"],
role="roles/iap.tunnelResourceAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
Project: pulumi.Any(destGroup.Project),
Region: pulumi.Any(destGroup.Region),
DestGroup: pulumi.Any(destGroup.GroupName),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.TunnelDestGroupIamMember("member", new()
{
Project = destGroup.Project,
Region = destGroup.Region,
DestGroup = destGroup.GroupName,
Role = "roles/iap.tunnelResourceAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelDestGroupIamMember;
import com.pulumi.gcp.iap.TunnelDestGroupIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new TunnelDestGroupIamMember("member", TunnelDestGroupIamMemberArgs.builder()
.project(destGroup.project())
.region(destGroup.region())
.destGroup(destGroup.groupName())
.role("roles/iap.tunnelResourceAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iap:TunnelDestGroupIamMember
properties:
project: ${destGroup.project}
region: ${destGroup.region}
destGroup: ${destGroup.groupName}
role: roles/iap.tunnelResourceAccessor
member: user:jane@example.com
The member property identifies who receives access using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property specifies the permission level; “roles/iap.tunnelResourceAccessor” allows TCP forwarding through IAP tunnels. This resource is non-authoritative: it adds the member without removing others who already have the same role.
Grant tunnel access to multiple users at once
When onboarding a team, binding all members to a role in one operation ensures consistent access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.TunnelDestGroupIamBinding("binding", {
project: destGroup.project,
region: destGroup.region,
destGroup: destGroup.groupName,
role: "roles/iap.tunnelResourceAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.TunnelDestGroupIamBinding("binding",
project=dest_group["project"],
region=dest_group["region"],
dest_group=dest_group["groupName"],
role="roles/iap.tunnelResourceAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
Project: pulumi.Any(destGroup.Project),
Region: pulumi.Any(destGroup.Region),
DestGroup: pulumi.Any(destGroup.GroupName),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.TunnelDestGroupIamBinding("binding", new()
{
Project = destGroup.Project,
Region = destGroup.Region,
DestGroup = destGroup.GroupName,
Role = "roles/iap.tunnelResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelDestGroupIamBinding;
import com.pulumi.gcp.iap.TunnelDestGroupIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TunnelDestGroupIamBinding("binding", TunnelDestGroupIamBindingArgs.builder()
.project(destGroup.project())
.region(destGroup.region())
.destGroup(destGroup.groupName())
.role("roles/iap.tunnelResourceAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iap:TunnelDestGroupIamBinding
properties:
project: ${destGroup.project}
region: ${destGroup.region}
destGroup: ${destGroup.groupName}
role: roles/iap.tunnelResourceAccessor
members:
- user:jane@example.com
The TunnelDestGroupIamBinding resource grants a role to multiple members simultaneously. The members array lists all identities that should have this role. Unlike TunnelDestGroupIamMember, this binding is authoritative for the specified role: it replaces any existing members for “roles/iap.tunnelResourceAccessor” but preserves other roles on the destination group.
Add time-limited access with IAM Conditions
Temporary access for contractors or time-boxed projects requires expiration logic built into the grant.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.TunnelDestGroupIamMember("member", {
project: destGroup.project,
region: destGroup.region,
destGroup: destGroup.groupName,
role: "roles/iap.tunnelResourceAccessor",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.TunnelDestGroupIamMember("member",
project=dest_group["project"],
region=dest_group["region"],
dest_group=dest_group["groupName"],
role="roles/iap.tunnelResourceAccessor",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
Project: pulumi.Any(destGroup.Project),
Region: pulumi.Any(destGroup.Region),
DestGroup: pulumi.Any(destGroup.GroupName),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
Condition: &iap.TunnelDestGroupIamMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.TunnelDestGroupIamMember("member", new()
{
Project = destGroup.Project,
Region = destGroup.Region,
DestGroup = destGroup.GroupName,
Role = "roles/iap.tunnelResourceAccessor",
Member = "user:jane@example.com",
Condition = new Gcp.Iap.Inputs.TunnelDestGroupIamMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelDestGroupIamMember;
import com.pulumi.gcp.iap.TunnelDestGroupIamMemberArgs;
import com.pulumi.gcp.iap.inputs.TunnelDestGroupIamMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new TunnelDestGroupIamMember("member", TunnelDestGroupIamMemberArgs.builder()
.project(destGroup.project())
.region(destGroup.region())
.destGroup(destGroup.groupName())
.role("roles/iap.tunnelResourceAccessor")
.member("user:jane@example.com")
.condition(TunnelDestGroupIamMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
member:
type: gcp:iap:TunnelDestGroupIamMember
properties:
project: ${destGroup.project}
region: ${destGroup.region}
destGroup: ${destGroup.groupName}
role: roles/iap.tunnelResourceAccessor
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions attach temporal or attribute-based constraints to role grants. The condition block requires a title, optional description, and an expression using Common Expression Language (CEL). Here, “request.time < timestamp(…)” automatically revokes access after the specified date. The member retains access until the condition evaluates to false, at which point GCP denies requests without requiring manual revocation.
Beyond these examples
These snippets focus on specific IAM grant features: single and multi-member role grants, and time-based access with IAM Conditions. They’re intentionally minimal rather than complete access control policies.
The examples reference pre-existing infrastructure such as IAP tunnel destination groups, GCP projects, and regions. They focus on granting access rather than provisioning the tunnel infrastructure itself.
To keep things focused, common IAM patterns are omitted, including:
- Full policy replacement (TunnelDestGroupIamPolicy)
- Custom role definitions and formatting
- Federated identity and workload identity principals
- Conflict resolution between Policy, Binding, and Member resources
These omissions are intentional: the goal is to illustrate how each IAM grant type is wired, not provide drop-in access control modules. See the IAP TunnelDestGroupIamMember resource reference for all available configuration options.
Let's manage GCP Identity-Aware Proxy IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
TunnelDestGroupIamPolicy is authoritative and replaces the entire IAM policy. TunnelDestGroupIamBinding is authoritative for a specific role, replacing all members for that role while preserving other roles. TunnelDestGroupIamMember is non-authoritative, adding a single member to a role without affecting other members.TunnelDestGroupIamPolicy cannot be used with TunnelDestGroupIamBinding or TunnelDestGroupIamMember because they will conflict over the policy. Use either IamPolicy alone or use IamBinding/IamMember together.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, or federated identities like principal://iam.googleapis.com/....[projects|organizations]/{parent-name}/roles/{role-name}. For example: projects/my-project/roles/my-custom-role.condition property with title, description, and expression fields. For example, to expire access at a specific time: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")". Note that IAM Conditions have some known limitations.Resource Lifecycle
destGroup, member, project, region, role, and condition. To change any of these, you must recreate the resource.region must be the same as the network resources in the tunnel destination group to ensure proper IAM policy binding.