The gcp:compute/instantSnapshotIamMember:InstantSnapshotIamMember resource, part of the Pulumi GCP provider, grants IAM roles to individual members for Compute Engine instant snapshots without affecting other members assigned to the same role. This guide focuses on two capabilities: single-member role grants and time-limited access with IAM Conditions.
This resource is non-authoritative, meaning it adds one member to a role without removing existing members. It references existing instant snapshots and requires a configured GCP project and zone. The examples are intentionally small. Combine them with your own snapshot resources and access policies.
Grant a role to a single member
Most access management starts by granting permissions to individual users or service accounts without disrupting existing role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.InstantSnapshotIamMember("member", {
project: _default.project,
zone: _default.zone,
name: _default.name,
role: "roles/compute.storageAdmin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.InstantSnapshotIamMember("member",
project=default["project"],
zone=default["zone"],
name=default["name"],
role="roles/compute.storageAdmin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewInstantSnapshotIamMember(ctx, "member", &compute.InstantSnapshotIamMemberArgs{
Project: pulumi.Any(_default.Project),
Zone: pulumi.Any(_default.Zone),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/compute.storageAdmin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.InstantSnapshotIamMember("member", new()
{
Project = @default.Project,
Zone = @default.Zone,
Name = @default.Name,
Role = "roles/compute.storageAdmin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.InstantSnapshotIamMember;
import com.pulumi.gcp.compute.InstantSnapshotIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new InstantSnapshotIamMember("member", InstantSnapshotIamMemberArgs.builder()
.project(default_.project())
.zone(default_.zone())
.name(default_.name())
.role("roles/compute.storageAdmin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:compute:InstantSnapshotIamMember
properties:
project: ${default.project}
zone: ${default.zone}
name: ${default.name}
role: roles/compute.storageAdmin
member: user:jane@example.com
The member property identifies who receives access using formats like “user:jane@example.com” or “serviceAccount:app@project.iam.gserviceaccount.com”. The role property specifies the permission level, such as “roles/compute.storageAdmin”. The name, project, and zone properties locate the instant snapshot. This resource is non-authoritative: it adds this member to the role without removing others who already have the same role.
Add time-limited access with IAM Conditions
Temporary access grants expire automatically when conditions evaluate to false, eliminating manual cleanup.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.compute.InstantSnapshotIamMember("member", {
project: _default.project,
zone: _default.zone,
name: _default.name,
role: "roles/compute.storageAdmin",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
member = gcp.compute.InstantSnapshotIamMember("member",
project=default["project"],
zone=default["zone"],
name=default["name"],
role="roles/compute.storageAdmin",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/compute"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := compute.NewInstantSnapshotIamMember(ctx, "member", &compute.InstantSnapshotIamMemberArgs{
Project: pulumi.Any(_default.Project),
Zone: pulumi.Any(_default.Zone),
Name: pulumi.Any(_default.Name),
Role: pulumi.String("roles/compute.storageAdmin"),
Member: pulumi.String("user:jane@example.com"),
Condition: &compute.InstantSnapshotIamMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Compute.InstantSnapshotIamMember("member", new()
{
Project = @default.Project,
Zone = @default.Zone,
Name = @default.Name,
Role = "roles/compute.storageAdmin",
Member = "user:jane@example.com",
Condition = new Gcp.Compute.Inputs.InstantSnapshotIamMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.compute.InstantSnapshotIamMember;
import com.pulumi.gcp.compute.InstantSnapshotIamMemberArgs;
import com.pulumi.gcp.compute.inputs.InstantSnapshotIamMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new InstantSnapshotIamMember("member", InstantSnapshotIamMemberArgs.builder()
.project(default_.project())
.zone(default_.zone())
.name(default_.name())
.role("roles/compute.storageAdmin")
.member("user:jane@example.com")
.condition(InstantSnapshotIamMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
member:
type: gcp:compute:InstantSnapshotIamMember
properties:
project: ${default.project}
zone: ${default.zone}
name: ${default.name}
role: roles/compute.storageAdmin
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block defines when access is valid. The expression property uses CEL (Common Expression Language) to evaluate time-based rules; here, access expires at midnight on 2020-01-01. The title and description properties document the condition’s purpose. IAM evaluates conditions on every request, automatically denying access once the timestamp passes.
Beyond these examples
These snippets focus on specific member-level features: single-member IAM grants and time-based access expiration. They’re intentionally minimal rather than full access control policies.
The examples reference pre-existing infrastructure such as Compute Engine instant snapshots and a GCP project with configured zone. They focus on granting access to individual members rather than managing complete IAM policies.
To keep things focused, common IAM patterns are omitted, including:
- Multi-member role bindings (InstantSnapshotIamBinding)
- Full policy replacement (InstantSnapshotIamPolicy)
- Advanced condition expressions (resource attributes, request context)
- Custom role definitions and formatting
These omissions are intentional: the goal is to illustrate how member-level access grants are wired, not provide drop-in IAM modules. See the InstantSnapshotIamMember resource reference for all available configuration options.
Let's manage GCP Instant Snapshot IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Three resources manage IAM policies with different behaviors:
InstantSnapshotIamPolicy: Authoritative. Replaces the entire IAM policy.InstantSnapshotIamBinding: Authoritative for a specific role. Grants a role to multiple members while preserving other roles.InstantSnapshotIamMember: Non-authoritative. Grants a role to a single member while preserving other members for that role.
InstantSnapshotIamPolicy with InstantSnapshotIamBinding or InstantSnapshotIamMember, as they will conflict over policy state. However, you can use InstantSnapshotIamBinding and InstantSnapshotIamMember together only if they grant different roles.InstantSnapshotIamPolicy when you need full control over the entire policy. Use InstantSnapshotIamBinding to manage all members for a specific role. Use InstantSnapshotIamMember to add individual members without affecting existing members for that role.IAM Configuration
The member property supports multiple identity formats:
allUsersorallAuthenticatedUsersfor public/authenticated accessuser:{email},serviceAccount:{email},group:{email}for specific identitiesdomain:{domain}for G Suite domainsprojectOwner:{projectid},projectEditor:{projectid},projectViewer:{projectid}for project-level roles- Federated identities using principal identifiers (e.g.,
principal://iam.googleapis.com/...)
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.condition property with title, description, and expression fields. However, IAM Conditions have known limitations that you should review in the GCP documentation before use.Resource Properties
member, role, name, project, zone, and condition. You must recreate the resource to change any of these values.project isn’t specified, it’s parsed from the parent resource identifier or falls back to the provider configuration. If zone isn’t specified, it’s parsed from the parent identifier or provider configuration.