The gcp:iap/webTypeAppEngingIamBinding:WebTypeAppEngingIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Identity-Aware Proxy on App Engine applications. This guide focuses on three capabilities: authoritative role bindings for multiple members, non-authoritative single-member grants, and time-based access with IAM Conditions.
IAM bindings for IAP control which identities can access App Engine applications protected by Identity-Aware Proxy. All examples reference existing App Engine applications by project and appId. The examples are intentionally small. Combine them with your own App Engine infrastructure and identity management strategy.
Grant a role to multiple members at once
Teams managing IAP access often need to grant the same role to multiple users or service accounts simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.WebTypeAppEngingIamBinding("binding", {
project: app.project,
appId: app.appId,
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.WebTypeAppEngingIamBinding("binding",
project=app["project"],
app_id=app["appId"],
role="roles/iap.httpsResourceAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.WebTypeAppEngingIamBinding("binding", new()
{
Project = app.Project,
AppId = app.AppId,
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebTypeAppEngingIamBinding;
import com.pulumi.gcp.iap.WebTypeAppEngingIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WebTypeAppEngingIamBinding("binding", WebTypeAppEngingIamBindingArgs.builder()
.project(app.project())
.appId(app.appId())
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iap:WebTypeAppEngingIamBinding
properties:
project: ${app.project}
appId: ${app.appId}
role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
The Binding resource treats the members list as authoritative for the specified role. When you update the members array, IAP replaces all existing grants for that role with your new list. The role property specifies which IAP permission to grant (here, httpsResourceAccessor allows HTTPS access). The appId and project properties identify which App Engine application to protect.
Add time-based access with IAM Conditions
Access requirements sometimes include temporal constraints, such as contractor access that expires after a project ends.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.WebTypeAppEngingIamBinding("binding", {
project: app.project,
appId: app.appId,
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.WebTypeAppEngingIamBinding("binding",
project=app["project"],
app_id=app["appId"],
role="roles/iap.httpsResourceAccessor",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &iap.WebTypeAppEngingIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.WebTypeAppEngingIamBinding("binding", new()
{
Project = app.Project,
AppId = app.AppId,
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Iap.Inputs.WebTypeAppEngingIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebTypeAppEngingIamBinding;
import com.pulumi.gcp.iap.WebTypeAppEngingIamBindingArgs;
import com.pulumi.gcp.iap.inputs.WebTypeAppEngingIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WebTypeAppEngingIamBinding("binding", WebTypeAppEngingIamBindingArgs.builder()
.project(app.project())
.appId(app.appId())
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.condition(WebTypeAppEngingIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:iap:WebTypeAppEngingIamBinding
properties:
project: ${app.project}
appId: ${app.appId}
role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions attach logic to role grants through the condition block. The expression property uses CEL (Common Expression Language) to define when access is valid. Here, the condition checks that the request time is before midnight on January 1, 2020. The title and description properties document the condition’s purpose. Conditions work with both Binding and Member resources.
Add a single member to an existing role
When you need to grant access to one additional user without affecting other members, the Member resource provides non-authoritative updates.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.WebTypeAppEngingIamMember("member", {
project: app.project,
appId: app.appId,
role: "roles/iap.httpsResourceAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.WebTypeAppEngingIamMember("member",
project=app["project"],
app_id=app["appId"],
role="roles/iap.httpsResourceAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.WebTypeAppEngingIamMember("member", new()
{
Project = app.Project,
AppId = app.AppId,
Role = "roles/iap.httpsResourceAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebTypeAppEngingIamMember;
import com.pulumi.gcp.iap.WebTypeAppEngingIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new WebTypeAppEngingIamMember("member", WebTypeAppEngingIamMemberArgs.builder()
.project(app.project())
.appId(app.appId())
.role("roles/iap.httpsResourceAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iap:WebTypeAppEngingIamMember
properties:
project: ${app.project}
appId: ${app.appId}
role: roles/iap.httpsResourceAccessor
member: user:jane@example.com
The Member resource adds one identity to a role without replacing existing grants. Unlike Binding, which is authoritative for the entire member list, Member preserves other members already granted the same role. The member property specifies a single identity using the same format as the members array in Binding resources (user:, serviceAccount:, group:, etc.).
Beyond these examples
These snippets focus on specific IAM binding features: role-based access control, single-member grants, and time-based access with IAM Conditions. They’re intentionally minimal rather than complete access control policies.
The examples reference pre-existing infrastructure such as App Engine applications identified by appId and project. They focus on configuring IAM bindings rather than provisioning the underlying App Engine resources.
To keep things focused, common IAM patterns are omitted, including:
- Full policy replacement (WebTypeAppEngingIamPolicy)
- Policy data retrieval (data source)
- Custom role definitions
- Federated identity configuration
These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the IAP WebTypeAppEngingIamBinding resource reference for all available configuration options.
Let's configure GCP Identity-Aware Proxy IAM Bindings
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
gcp.iap.WebTypeAppEngingIamPolicy is authoritative and replaces the entire IAM policy. gcp.iap.WebTypeAppEngingIamBinding is authoritative for a specific role, preserving other roles. gcp.iap.WebTypeAppEngingIamMember is non-authoritative, adding individual members while preserving existing ones for that role.gcp.iap.WebTypeAppEngingIamPolicy cannot be used with gcp.iap.WebTypeAppEngingIamBinding or gcp.iap.WebTypeAppEngingIamMember as they will conflict over policy management.gcp.iap.WebTypeAppEngingIamBinding and gcp.iap.WebTypeAppEngingIamMember cannot grant privileges to the same role.IAM Configuration
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner/Editor/Viewer:{projectid}, and federated identities using principal:// format.[projects|organizations]/{parent-name}/roles/{role-name}. For example: projects/my-project/roles/my-custom-role.gcp.iap.WebTypeAppEngingIamBinding can be used per role. Use separate Binding resources for different roles.Conditions & Advanced Features
condition property with title, description, and expression fields. Example: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")" creates access that expires at midnight on 2019-12-31.Immutability & Lifecycle
appId, project, role, and condition properties are immutable and cannot be changed after the resource is created.