The gcp:iap/tunnelDestGroupIamBinding:TunnelDestGroupIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Identity-Aware Proxy tunnel destination groups, controlling which identities can access tunneled resources. This guide focuses on three capabilities: authoritative role binding for multiple members, time-based access with IAM Conditions, and non-authoritative member addition.
IAM bindings reference existing tunnel destination groups and require valid GCP project and region identifiers. The examples are intentionally small. Combine them with your own tunnel groups and identity management strategy.
Grant a role to multiple members with IamBinding
Teams managing IAP tunnel access often need to grant the same role to multiple users or service accounts at once.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.TunnelDestGroupIamBinding("binding", {
project: destGroup.project,
region: destGroup.region,
destGroup: destGroup.groupName,
role: "roles/iap.tunnelResourceAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.TunnelDestGroupIamBinding("binding",
project=dest_group["project"],
region=dest_group["region"],
dest_group=dest_group["groupName"],
role="roles/iap.tunnelResourceAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
Project: pulumi.Any(destGroup.Project),
Region: pulumi.Any(destGroup.Region),
DestGroup: pulumi.Any(destGroup.GroupName),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.TunnelDestGroupIamBinding("binding", new()
{
Project = destGroup.Project,
Region = destGroup.Region,
DestGroup = destGroup.GroupName,
Role = "roles/iap.tunnelResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelDestGroupIamBinding;
import com.pulumi.gcp.iap.TunnelDestGroupIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TunnelDestGroupIamBinding("binding", TunnelDestGroupIamBindingArgs.builder()
.project(destGroup.project())
.region(destGroup.region())
.destGroup(destGroup.groupName())
.role("roles/iap.tunnelResourceAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iap:TunnelDestGroupIamBinding
properties:
project: ${destGroup.project}
region: ${destGroup.region}
destGroup: ${destGroup.groupName}
role: roles/iap.tunnelResourceAccessor
members:
- user:jane@example.com
The IamBinding resource is authoritative for the specified role. The members array lists all identities that should have this role; any members not in this list will lose the role. The destGroup, project, and region properties identify which tunnel destination group to configure. This approach works well when you manage all members for a role together.
Add time-based access with IAM Conditions
Temporary access grants are common for contractors or time-limited projects.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.TunnelDestGroupIamBinding("binding", {
project: destGroup.project,
region: destGroup.region,
destGroup: destGroup.groupName,
role: "roles/iap.tunnelResourceAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.TunnelDestGroupIamBinding("binding",
project=dest_group["project"],
region=dest_group["region"],
dest_group=dest_group["groupName"],
role="roles/iap.tunnelResourceAccessor",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelDestGroupIamBinding(ctx, "binding", &iap.TunnelDestGroupIamBindingArgs{
Project: pulumi.Any(destGroup.Project),
Region: pulumi.Any(destGroup.Region),
DestGroup: pulumi.Any(destGroup.GroupName),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &iap.TunnelDestGroupIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.TunnelDestGroupIamBinding("binding", new()
{
Project = destGroup.Project,
Region = destGroup.Region,
DestGroup = destGroup.GroupName,
Role = "roles/iap.tunnelResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Iap.Inputs.TunnelDestGroupIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelDestGroupIamBinding;
import com.pulumi.gcp.iap.TunnelDestGroupIamBindingArgs;
import com.pulumi.gcp.iap.inputs.TunnelDestGroupIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TunnelDestGroupIamBinding("binding", TunnelDestGroupIamBindingArgs.builder()
.project(destGroup.project())
.region(destGroup.region())
.destGroup(destGroup.groupName())
.role("roles/iap.tunnelResourceAccessor")
.members("user:jane@example.com")
.condition(TunnelDestGroupIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:iap:TunnelDestGroupIamBinding
properties:
project: ${destGroup.project}
region: ${destGroup.region}
destGroup: ${destGroup.groupName}
role: roles/iap.tunnelResourceAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds constraints to the role binding. The expression property uses CEL (Common Expression Language) to define when access is valid; here, it checks that the request time is before midnight on January 1, 2020. The title and description provide human-readable context. IAM Conditions have some limitations documented in the GCP IAM Conditions overview.
Add a single member with IamMember
When you need to grant access to one additional user without affecting existing permissions, IamMember provides non-authoritative updates.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.TunnelDestGroupIamMember("member", {
project: destGroup.project,
region: destGroup.region,
destGroup: destGroup.groupName,
role: "roles/iap.tunnelResourceAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.TunnelDestGroupIamMember("member",
project=dest_group["project"],
region=dest_group["region"],
dest_group=dest_group["groupName"],
role="roles/iap.tunnelResourceAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelDestGroupIamMember(ctx, "member", &iap.TunnelDestGroupIamMemberArgs{
Project: pulumi.Any(destGroup.Project),
Region: pulumi.Any(destGroup.Region),
DestGroup: pulumi.Any(destGroup.GroupName),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.TunnelDestGroupIamMember("member", new()
{
Project = destGroup.Project,
Region = destGroup.Region,
DestGroup = destGroup.GroupName,
Role = "roles/iap.tunnelResourceAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelDestGroupIamMember;
import com.pulumi.gcp.iap.TunnelDestGroupIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new TunnelDestGroupIamMember("member", TunnelDestGroupIamMemberArgs.builder()
.project(destGroup.project())
.region(destGroup.region())
.destGroup(destGroup.groupName())
.role("roles/iap.tunnelResourceAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iap:TunnelDestGroupIamMember
properties:
project: ${destGroup.project}
region: ${destGroup.region}
destGroup: ${destGroup.groupName}
role: roles/iap.tunnelResourceAccessor
member: user:jane@example.com
The IamMember resource adds one identity to a role without removing other members. The member property specifies a single identity (user, service account, group, or domain). This is useful when multiple teams manage access independently, as it won’t overwrite bindings created by others.
Beyond these examples
These snippets focus on specific IAM binding features: authoritative role binding, non-authoritative member addition, and time-based access with IAM Conditions. They’re intentionally minimal rather than full access control configurations.
The examples reference pre-existing infrastructure such as IAP tunnel destination groups and GCP projects and regions. They focus on configuring IAM bindings rather than provisioning the underlying tunnel infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Full policy replacement (IamPolicy resource)
- Custom role definitions
- Advanced condition expressions (resource attributes, request context)
- Combining IamBinding and IamMember for the same role (causes conflicts)
These omissions are intentional: the goal is to illustrate how each IAM binding approach is wired, not provide drop-in access control modules. See the TunnelDestGroupIamBinding resource reference for all available configuration options.
Let's manage GCP Identity-Aware Proxy IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.iap.TunnelDestGroupIamPolicy is authoritative and replaces the entire IAM policy. gcp.iap.TunnelDestGroupIamBinding is authoritative for a specific role, preserving other roles. gcp.iap.TunnelDestGroupIamMember is non-authoritative, adding members without affecting other members for the same role.gcp.iap.TunnelDestGroupIamPolicy cannot be used with gcp.iap.TunnelDestGroupIamBinding or gcp.iap.TunnelDestGroupIamMember, as they will conflict over policy management. Choose one approach for your use case.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities (e.g., principal://iam.googleapis.com/...).[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role.condition property with title, description, and expression fields. Note that IAM Conditions have known limitations documented in the GCP IAM Conditions overview.condition property with an expression like request.time < timestamp("2020-01-01T00:00:00Z") to set expiration times for access grants.Resource Properties
destGroup, project, region, role, and condition properties are all immutable. The region must match the network resources in the tunnel group.