The gcp:iap/webCloudRunServiceIamPolicy:WebCloudRunServiceIamPolicy resource, part of the Pulumi GCP provider, controls IAM access to Identity-Aware Proxy (IAP) protected Cloud Run services. This guide focuses on four capabilities: authoritative policy replacement, role-level member management, individual member grants, and time-based access with IAM Conditions.
These resources reference existing Cloud Run services by name, project, and location. The examples are intentionally small. Combine them with your own Cloud Run services and identity management workflows.
Replace the entire IAM policy with a new definition
When establishing a new access baseline, you can replace the entire IAM policy, removing all existing bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.iap.WebCloudRunServiceIamPolicy("policy", {
project: _default.project,
location: _default.location,
cloudRunServiceName: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/iap.httpsResourceAccessor",
"members": ["user:jane@example.com"],
}])
policy = gcp.iap.WebCloudRunServiceIamPolicy("policy",
project=default["project"],
location=default["location"],
cloud_run_service_name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/iap.httpsResourceAccessor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iap.NewWebCloudRunServiceIamPolicy(ctx, "policy", &iap.WebCloudRunServiceIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
CloudRunServiceName: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Iap.WebCloudRunServiceIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
CloudRunServiceName = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.iap.WebCloudRunServiceIamPolicy;
import com.pulumi.gcp.iap.WebCloudRunServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.build())
.build());
var policy = new WebCloudRunServiceIamPolicy("policy", WebCloudRunServiceIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.cloudRunServiceName(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:iap:WebCloudRunServiceIamPolicy
properties:
project: ${default.project}
location: ${default.location}
cloudRunServiceName: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
The WebCloudRunServiceIamPolicy resource is authoritative: it replaces the complete IAM policy with the policyData you provide. The getIAMPolicy data source constructs the policy document from bindings. The cloudRunServiceName identifies which Cloud Run service to protect. This approach removes any existing access grants not included in your new policy.
Grant a role to multiple members at once
When onboarding teams, you can grant the same role to multiple identities simultaneously.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.WebCloudRunServiceIamBinding("binding", {
project: _default.project,
location: _default.location,
cloudRunServiceName: _default.name,
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.WebCloudRunServiceIamBinding("binding",
project=default["project"],
location=default["location"],
cloud_run_service_name=default["name"],
role="roles/iap.httpsResourceAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebCloudRunServiceIamBinding(ctx, "binding", &iap.WebCloudRunServiceIamBindingArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
CloudRunServiceName: pulumi.Any(_default.Name),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.WebCloudRunServiceIamBinding("binding", new()
{
Project = @default.Project,
Location = @default.Location,
CloudRunServiceName = @default.Name,
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebCloudRunServiceIamBinding;
import com.pulumi.gcp.iap.WebCloudRunServiceIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WebCloudRunServiceIamBinding("binding", WebCloudRunServiceIamBindingArgs.builder()
.project(default_.project())
.location(default_.location())
.cloudRunServiceName(default_.name())
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iap:WebCloudRunServiceIamBinding
properties:
project: ${default.project}
location: ${default.location}
cloudRunServiceName: ${default.name}
role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
The WebCloudRunServiceIamBinding resource manages all members for a specific role as a unit. The members array lists users, service accounts, or groups. This resource is authoritative for its role: it replaces all members for that role but preserves other roles in the policy. You can use multiple Binding resources for different roles without conflicts.
Add a single member to a role incrementally
Individual access grants let you add one identity without affecting others who have the same role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.WebCloudRunServiceIamMember("member", {
project: _default.project,
location: _default.location,
cloudRunServiceName: _default.name,
role: "roles/iap.httpsResourceAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.WebCloudRunServiceIamMember("member",
project=default["project"],
location=default["location"],
cloud_run_service_name=default["name"],
role="roles/iap.httpsResourceAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebCloudRunServiceIamMember(ctx, "member", &iap.WebCloudRunServiceIamMemberArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
CloudRunServiceName: pulumi.Any(_default.Name),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.WebCloudRunServiceIamMember("member", new()
{
Project = @default.Project,
Location = @default.Location,
CloudRunServiceName = @default.Name,
Role = "roles/iap.httpsResourceAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebCloudRunServiceIamMember;
import com.pulumi.gcp.iap.WebCloudRunServiceIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new WebCloudRunServiceIamMember("member", WebCloudRunServiceIamMemberArgs.builder()
.project(default_.project())
.location(default_.location())
.cloudRunServiceName(default_.name())
.role("roles/iap.httpsResourceAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iap:WebCloudRunServiceIamMember
properties:
project: ${default.project}
location: ${default.location}
cloudRunServiceName: ${default.name}
role: roles/iap.httpsResourceAccessor
member: user:jane@example.com
The WebCloudRunServiceIamMember resource is non-authoritative: it adds one member to a role without removing existing members. The member property specifies a single identity. You can create multiple Member resources for the same role, and they coexist with Binding resources as long as they target different roles.
Apply time-based access with IAM Conditions
Temporary access expires automatically when you attach conditions that evaluate timestamps.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.iap.WebCloudRunServiceIamPolicy("policy", {
project: _default.project,
location: _default.location,
cloudRunServiceName: _default.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/iap.httpsResourceAccessor",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.iap.WebCloudRunServiceIamPolicy("policy",
project=default["project"],
location=default["location"],
cloud_run_service_name=default["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/iap.httpsResourceAccessor",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iap.NewWebCloudRunServiceIamPolicy(ctx, "policy", &iap.WebCloudRunServiceIamPolicyArgs{
Project: pulumi.Any(_default.Project),
Location: pulumi.Any(_default.Location),
CloudRunServiceName: pulumi.Any(_default.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Iap.WebCloudRunServiceIamPolicy("policy", new()
{
Project = @default.Project,
Location = @default.Location,
CloudRunServiceName = @default.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.iap.WebCloudRunServiceIamPolicy;
import com.pulumi.gcp.iap.WebCloudRunServiceIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new WebCloudRunServiceIamPolicy("policy", WebCloudRunServiceIamPolicyArgs.builder()
.project(default_.project())
.location(default_.location())
.cloudRunServiceName(default_.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:iap:WebCloudRunServiceIamPolicy
properties:
project: ${default.project}
location: ${default.location}
cloudRunServiceName: ${default.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions add temporal logic to access grants. The condition block defines a title, optional description, and expression using Common Expression Language (CEL). Here, the expression compares request.time against a timestamp, automatically revoking access after the specified date. Conditions work with all three resource types (Policy, Binding, Member) but have known limitations documented by Google Cloud.
Beyond these examples
These snippets focus on specific IAM management approaches: authoritative vs non-authoritative updates and time-based access with IAM Conditions. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as Cloud Run services in specific projects and locations. They focus on configuring IAM bindings rather than provisioning the services themselves.
To keep things focused, common IAM patterns are omitted, including:
- Combining Policy with Binding/Member resources (causes conflicts)
- Mixing Binding and Member for the same role (causes conflicts)
- Custom role definitions and management
- IAM Conditions limitations and edge cases
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the WebCloudRunServiceIamPolicy resource reference for all available configuration options.
Let's manage GCP Identity-Aware Proxy IAM Policies for Cloud Run
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
Which IAM resources can I use together?
gcp.iap.WebCloudRunServiceIamPolicy cannot be used with gcp.iap.WebCloudRunServiceIamBinding or gcp.iap.WebCloudRunServiceIamMember as they will conflict. However, IamBinding and IamMember can be used together if they manage different roles.Which IAM resource should I use: Policy, Binding, or Member?
Use
IamPolicy for full authoritative control (replaces entire policy), IamBinding for authoritative control of a specific role (preserves other roles), or IamMember for non-authoritative addition of individual members (preserves other members for the role).IAM Conditions
How do I add time-based or conditional IAM access?
Add a
condition block with title, description, and expression fields to your IAM binding or member. For example, use expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")" for time-based expiration.What are the limitations of IAM Conditions?
IAM Conditions are supported but have known limitations. Review the GCP IAM Conditions documentation for details if you encounter issues with conditional access policies.
Configuration
How do I generate the policyData for IamPolicy?
Use the
gcp.organizations.getIAMPolicy data source with your desired bindings configuration, then reference its policyData output in the IamPolicy resource.