The gcp:iap/webTypeAppEngingIamPolicy:WebTypeAppEngingIamPolicy resource, part of the Pulumi GCP provider, controls IAM access to App Engine applications protected by Identity-Aware Proxy. This guide focuses on four capabilities: authoritative policy replacement, role-specific member management, individual member grants, and time-based access with IAM Conditions.
Three related resources manage IAP access with different authoritativeness models: Policy (replaces entire policy), Binding (manages all members for one role), and Member (adds one member non-authoritatively). Policy cannot be used with Binding or Member; Binding and Member can coexist only if they manage different roles. The examples are intentionally small. Combine them with your own App Engine applications and access requirements.
Replace the entire IAM policy for an App Engine app
When you need complete control over IAP access, you can set the entire IAM policy at once, replacing any existing grants.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.iap.WebTypeAppEngingIamPolicy("policy", {
project: app.project,
appId: app.appId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/iap.httpsResourceAccessor",
"members": ["user:jane@example.com"],
}])
policy = gcp.iap.WebTypeAppEngingIamPolicy("policy",
project=app["project"],
app_id=app["appId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/iap.httpsResourceAccessor",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Iap.WebTypeAppEngingIamPolicy("policy", new()
{
Project = app.Project,
AppId = app.AppId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.iap.WebTypeAppEngingIamPolicy;
import com.pulumi.gcp.iap.WebTypeAppEngingIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.build())
.build());
var policy = new WebTypeAppEngingIamPolicy("policy", WebTypeAppEngingIamPolicyArgs.builder()
.project(app.project())
.appId(app.appId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:iap:WebTypeAppEngingIamPolicy
properties:
project: ${app.project}
appId: ${app.appId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
The WebTypeAppEngingIamPolicy resource is authoritative: it replaces the complete IAM policy for the App Engine app. The policyData comes from the getIAMPolicy data source, which defines bindings (role-to-members mappings). The appId identifies which App Engine application to protect.
Grant a role to multiple members at once
Teams often grant the same IAP role to several users simultaneously while preserving other role bindings.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.iap.WebTypeAppEngingIamBinding("binding", {
project: app.project,
appId: app.appId,
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.iap.WebTypeAppEngingIamBinding("binding",
project=app["project"],
app_id=app["appId"],
role="roles/iap.httpsResourceAccessor",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebTypeAppEngingIamBinding(ctx, "binding", &iap.WebTypeAppEngingIamBindingArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Iap.WebTypeAppEngingIamBinding("binding", new()
{
Project = app.Project,
AppId = app.AppId,
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebTypeAppEngingIamBinding;
import com.pulumi.gcp.iap.WebTypeAppEngingIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new WebTypeAppEngingIamBinding("binding", WebTypeAppEngingIamBindingArgs.builder()
.project(app.project())
.appId(app.appId())
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:iap:WebTypeAppEngingIamBinding
properties:
project: ${app.project}
appId: ${app.appId}
role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
The WebTypeAppEngingIamBinding resource is authoritative for one role only: it sets the complete member list for roles/iap.httpsResourceAccessor but leaves other roles unchanged. The members array lists all users, service accounts, or groups that should have this role.
Add a single member to a role incrementally
To grant IAP access to one user without managing the full member list, use the non-authoritative member resource.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.iap.WebTypeAppEngingIamMember("member", {
project: app.project,
appId: app.appId,
role: "roles/iap.httpsResourceAccessor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.iap.WebTypeAppEngingIamMember("member",
project=app["project"],
app_id=app["appId"],
role="roles/iap.httpsResourceAccessor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := iap.NewWebTypeAppEngingIamMember(ctx, "member", &iap.WebTypeAppEngingIamMemberArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
Role: pulumi.String("roles/iap.httpsResourceAccessor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Iap.WebTypeAppEngingIamMember("member", new()
{
Project = app.Project,
AppId = app.AppId,
Role = "roles/iap.httpsResourceAccessor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.iap.WebTypeAppEngingIamMember;
import com.pulumi.gcp.iap.WebTypeAppEngingIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new WebTypeAppEngingIamMember("member", WebTypeAppEngingIamMemberArgs.builder()
.project(app.project())
.appId(app.appId())
.role("roles/iap.httpsResourceAccessor")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:iap:WebTypeAppEngingIamMember
properties:
project: ${app.project}
appId: ${app.appId}
role: roles/iap.httpsResourceAccessor
member: user:jane@example.com
The WebTypeAppEngingIamMember resource adds one member to a role without affecting existing members. This is non-authoritative: other members for the same role are preserved. Use this when you want to grant access incrementally rather than managing the complete list.
Apply time-based access with IAM Conditions
Access requirements sometimes include temporal constraints, such as expiration dates or time-of-day restrictions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/iap.httpsResourceAccessor",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.iap.WebTypeAppEngingIamPolicy("policy", {
project: app.project,
appId: app.appId,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/iap.httpsResourceAccessor",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.iap.WebTypeAppEngingIamPolicy("policy",
project=app["project"],
app_id=app["appId"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/iap"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/iap.httpsResourceAccessor",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = iap.NewWebTypeAppEngingIamPolicy(ctx, "policy", &iap.WebTypeAppEngingIamPolicyArgs{
Project: pulumi.Any(app.Project),
AppId: pulumi.Any(app.AppId),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/iap.httpsResourceAccessor",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Iap.WebTypeAppEngingIamPolicy("policy", new()
{
Project = app.Project,
AppId = app.AppId,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.iap.WebTypeAppEngingIamPolicy;
import com.pulumi.gcp.iap.WebTypeAppEngingIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/iap.httpsResourceAccessor")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new WebTypeAppEngingIamPolicy("policy", WebTypeAppEngingIamPolicyArgs.builder()
.project(app.project())
.appId(app.appId())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:iap:WebTypeAppEngingIamPolicy
properties:
project: ${app.project}
appId: ${app.appId}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/iap.httpsResourceAccessor
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions add constraints to role bindings. The condition block defines a title (for identification), an optional description, and an expression (CEL syntax). Here, the expression checks that the request time is before midnight on January 1, 2020. When the condition evaluates to false, the binding no longer grants access. IAM Conditions have known limitations; review the GCP documentation if you encounter issues.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management and IAM Conditions for temporal access control. They’re intentionally minimal rather than full access control solutions.
The examples reference pre-existing infrastructure such as an App Engine application (project and appId). They focus on configuring IAM access rather than provisioning the application itself.
To keep things focused, common IAM patterns are omitted, including:
- Combining Policy with Binding/Member resources (causes conflicts)
- Multiple Binding resources for the same role (causes conflicts)
- Service account and group member types
- Domain and allUsers member types
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the WebTypeAppEngingIamPolicy resource reference for all available configuration options.
Let's configure GCP Identity-Aware Proxy IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Which IAM resource should I use: Policy, Binding, or Member?
Choose based on your management needs:
- Policy (
WebTypeAppEngingIamPolicy) - Authoritative control of the entire IAM policy, replaces any existing policy - Binding (
WebTypeAppEngingIamBinding) - Authoritative for a specific role, preserves other roles in the policy - Member (
WebTypeAppEngingIamMember) - Non-authoritative, adds individual members while preserving existing members for the role
Can I use Policy with Binding or Member resources?
No,
WebTypeAppEngingIamPolicy cannot be used with WebTypeAppEngingIamBinding or WebTypeAppEngingIamMember because they will conflict over policy control.Can I use Binding and Member resources together?
Yes, but only if they don’t grant privileges to the same role. Each role must be managed by either Binding or Member resources, not both.
Configuration & Setup
How do I generate the policyData for the Policy resource?
Use the
gcp.organizations.getIAMPolicy data source with your desired bindings configuration, then pass the resulting policyData to the Policy resource.What properties are immutable after creation?
Both
appId and project are immutable and cannot be changed after the resource is created.IAM Conditions
How do I add time-based or conditional access?
Add a
condition block with title, description, and expression fields. For example, to expire access: expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")".Are there limitations with IAM Conditions?
Yes, IAM Conditions have known limitations. If you experience issues, consult the GCP IAM Conditions limitations documentation.