The gcp:iap/tunnelInstanceIAMPolicy:TunnelInstanceIAMPolicy resource, part of the Pulumi GCP provider, manages IAM permissions for Identity-Aware Proxy tunnel access to Compute Engine instances. This guide focuses on four capabilities: authoritative policy replacement, role bindings for multiple members, individual member grants, and time-based access with IAM Conditions.
These resources reference existing Compute Engine instances with IAP tunnel enabled. The examples are intentionally small. Combine them with your own instance configuration and organizational IAM structure.
Set the complete IAM policy for an instance
Teams managing IAP tunnel access often need to define the entire IAM policy, replacing any existing permissions with a known configuration.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/iap.tunnelResourceAccessor",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.iap.TunnelInstanceIAMPolicy("policy", {
project: tunnelvm.project,
zone: tunnelvm.zone,
instance: tunnelvm.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:jane@example.com"],
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
project=tunnelvm["project"],
zone=tunnelvm["zone"],
instance=tunnelvm["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/iap.tunnelResourceAccessor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
Project: pulumi.Any(tunnelvm.Project),
Zone: pulumi.Any(tunnelvm.Zone),
Instance: pulumi.Any(tunnelvm.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/iap.tunnelResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Iap.TunnelInstanceIAMPolicy("policy", new()
{
Project = tunnelvm.Project,
Zone = tunnelvm.Zone,
Instance = tunnelvm.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.iap.TunnelInstanceIAMPolicy;
import com.pulumi.gcp.iap.TunnelInstanceIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/iap.tunnelResourceAccessor")
.members("user:jane@example.com")
.build())
.build());
var policy = new TunnelInstanceIAMPolicy("policy", TunnelInstanceIAMPolicyArgs.builder()
.project(tunnelvm.project())
.zone(tunnelvm.zone())
.instance(tunnelvm.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:iap:TunnelInstanceIAMPolicy
properties:
project: ${tunnelvm.project}
zone: ${tunnelvm.zone}
instance: ${tunnelvm.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:jane@example.com
The TunnelInstanceIAMPolicy resource is authoritative: it replaces all existing IAM bindings on the instance. The policyData comes from getIAMPolicy, which defines bindings (role-to-members mappings). The project, zone, and instance properties identify which Compute Engine instance receives the policy. Use this approach when you need complete control over all IAM permissions.
Grant a role to multiple members
When multiple users or service accounts need the same access level, binding a role to a list of members is more maintainable than individual grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.TunnelInstanceIAMBinding("binding", {
project: tunnelvm.project,
zone: tunnelvm.zone,
instance: tunnelvm.name,
role: "roles/iap.tunnelResourceAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.TunnelInstanceIAMBinding("binding",
project=tunnelvm["project"],
zone=tunnelvm["zone"],
instance=tunnelvm["name"],
role="roles/iap.tunnelResourceAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelInstanceIAMBinding(ctx, "binding", &iap.TunnelInstanceIAMBindingArgs{
Project: pulumi.Any(tunnelvm.Project),
Zone: pulumi.Any(tunnelvm.Zone),
Instance: pulumi.Any(tunnelvm.Name),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.TunnelInstanceIAMBinding("binding", new()
{
Project = tunnelvm.Project,
Zone = tunnelvm.Zone,
Instance = tunnelvm.Name,
Role = "roles/iap.tunnelResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelInstanceIAMBinding;
import com.pulumi.gcp.iap.TunnelInstanceIAMBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new TunnelInstanceIAMBinding("binding", TunnelInstanceIAMBindingArgs.builder()
.project(tunnelvm.project())
.zone(tunnelvm.zone())
.instance(tunnelvm.name())
.role("roles/iap.tunnelResourceAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iap:TunnelInstanceIAMBinding
properties:
project: ${tunnelvm.project}
zone: ${tunnelvm.zone}
instance: ${tunnelvm.name}
role: roles/iap.tunnelResourceAccessor
members:
- user:jane@example.com
The TunnelInstanceIAMBinding resource is authoritative for the specified role but preserves other roles on the instance. The members array lists all identities that receive the role. This approach works well for team-based access where you manage all members of a role together. You can combine multiple Binding resources for different roles on the same instance.
Add a single member to a role
Adding individual users without affecting other members or roles requires a non-authoritative approach.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.TunnelInstanceIAMMember("member", {
project: tunnelvm.project,
zone: tunnelvm.zone,
instance: tunnelvm.name,
role: "roles/iap.tunnelResourceAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.TunnelInstanceIAMMember("member",
project=tunnelvm["project"],
zone=tunnelvm["zone"],
instance=tunnelvm["name"],
role="roles/iap.tunnelResourceAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewTunnelInstanceIAMMember(ctx, "member", &iap.TunnelInstanceIAMMemberArgs{
Project: pulumi.Any(tunnelvm.Project),
Zone: pulumi.Any(tunnelvm.Zone),
Instance: pulumi.Any(tunnelvm.Name),
Role: pulumi.String("roles/iap.tunnelResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.TunnelInstanceIAMMember("member", new()
{
Project = tunnelvm.Project,
Zone = tunnelvm.Zone,
Instance = tunnelvm.Name,
Role = "roles/iap.tunnelResourceAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.TunnelInstanceIAMMember;
import com.pulumi.gcp.iap.TunnelInstanceIAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new TunnelInstanceIAMMember("member", TunnelInstanceIAMMemberArgs.builder()
.project(tunnelvm.project())
.zone(tunnelvm.zone())
.instance(tunnelvm.name())
.role("roles/iap.tunnelResourceAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iap:TunnelInstanceIAMMember
properties:
project: ${tunnelvm.project}
zone: ${tunnelvm.zone}
instance: ${tunnelvm.name}
role: roles/iap.tunnelResourceAccessor
member: user:jane@example.com
The TunnelInstanceIAMMember resource grants a role to one member without modifying other members for that role. The member property specifies a single identity (user, service account, or group). This approach is ideal for incremental access grants where you don’t want to manage the complete member list. Multiple Member resources can coexist for the same role.
Apply time-based access with IAM Conditions
Temporary access grants require IAM Conditions to automatically expire permissions without manual revocation.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/iap.tunnelResourceAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.iap.TunnelInstanceIAMPolicy("policy", {
project: tunnelvm.project,
zone: tunnelvm.zone,
instance: tunnelvm.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/iap.tunnelResourceAccessor",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.iap.TunnelInstanceIAMPolicy("policy",
project=tunnelvm["project"],
zone=tunnelvm["zone"],
instance=tunnelvm["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/iap.tunnelResourceAccessor",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iap.NewTunnelInstanceIAMPolicy(ctx, "policy", &iap.TunnelInstanceIAMPolicyArgs{
Project: pulumi.Any(tunnelvm.Project),
Zone: pulumi.Any(tunnelvm.Zone),
Instance: pulumi.Any(tunnelvm.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/iap.tunnelResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Iap.TunnelInstanceIAMPolicy("policy", new()
{
Project = tunnelvm.Project,
Zone = tunnelvm.Zone,
Instance = tunnelvm.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.iap.TunnelInstanceIAMPolicy;
import com.pulumi.gcp.iap.TunnelInstanceIAMPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/iap.tunnelResourceAccessor")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new TunnelInstanceIAMPolicy("policy", TunnelInstanceIAMPolicyArgs.builder()
.project(tunnelvm.project())
.zone(tunnelvm.zone())
.instance(tunnelvm.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:iap:TunnelInstanceIAMPolicy
properties:
project: ${tunnelvm.project}
zone: ${tunnelvm.zone}
instance: ${tunnelvm.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/iap.tunnelResourceAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions add time-based or attribute-based logic to policy bindings. The condition block requires a title, optional description, and expression using Common Expression Language (CEL). Here, the expression compares request.time against a timestamp to enforce expiration. Conditions work with Policy, Binding, and Member resources. Note that IAM Conditions have known limitations documented by Google Cloud.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, role bindings and member grants, and time-based access with IAM Conditions. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as Compute Engine instances with IAP tunnel enabled, and GCP project and zone configuration. They focus on IAM permission management rather than instance provisioning.
To keep things focused, common IAM patterns are omitted, including:
- Combining Policy with Binding/Member resources (causes conflicts)
- Custom IAM roles (examples use predefined roles/iap.tunnelResourceAccessor)
- Service account impersonation and delegation
- Audit logging configuration for IAM changes
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the IAP TunnelInstance IAM Policy resource reference for all available configuration options.
Let's manage GCP Identity-Aware Proxy Tunnel IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Which IAM resources can I use together without conflicts?
gcp.iap.TunnelInstanceIAMPolicy cannot be used with gcp.iap.TunnelInstanceIAMBinding or gcp.iap.TunnelInstanceIAMMember because they’ll conflict over the policy. However, gcp.iap.TunnelInstanceIAMBinding and gcp.iap.TunnelInstanceIAMMember can be used together as long as they don’t grant privileges to the same role.What's the difference between the three IAM resource types?
gcp.iap.TunnelInstanceIAMPolicy: Authoritative, replaces the entire IAM policygcp.iap.TunnelInstanceIAMBinding: Authoritative for a specific role, preserves other rolesgcp.iap.TunnelInstanceIAMMember: Non-authoritative, adds a single member while preserving other members for the role
Configuration & Properties
What properties are immutable after creation?
The
instance, project, and zone properties are immutable. Only policyData can be updated after creation.What are the required properties for TunnelInstanceIAMPolicy?
You must provide
instance (the instance name), policyData (from gcp.organizations.getIAMPolicy), project (project ID), and zone. If project or zone aren’t specified, they’re parsed from the parent resource identifier or provider configuration.Advanced Features
Can I use IAM Conditions with this resource?
Yes, IAM Conditions are supported with
condition blocks containing title, description, and expression. However, there are known limitations you should review in the GCP documentation.How do I import existing IAM policies?
Use formats like
projects/{{project}}/iap_tunnel/zones/{{zone}}/instances/{{name}} or shorter forms like {{zone}}/{{name}}. For IAM members, include the role and member identity space-delimited. For bindings, include the role. Variables not in the import command are taken from provider configuration.