The gcp:kms/ekmConnectionIamPolicy:EkmConnectionIamPolicy resource, part of the Pulumi GCP provider, manages IAM access control for Cloud KMS External Key Manager connections. EKM connections link Cloud KMS to external key management systems. This guide focuses on four capabilities: authoritative policy replacement, role-based binding, individual member grants, and time-based IAM Conditions.
Three related resources manage EKM connection access: IamPolicy (authoritative, replaces entire policy), IamBinding (authoritative per role, preserves other roles), and IamMember (non-authoritative, adds individual members). IamPolicy cannot be used with IamBinding or IamMember on the same connection. IamBinding and IamMember can coexist if they manage different roles. The examples are intentionally small. Combine them with your own EKM connections and organizational access policies.
Grant a role to multiple members with IamBinding
Teams managing external key manager access often need to grant the same role to multiple users or service accounts while preserving other role assignments.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.kms.EkmConnectionIamBinding("binding", {
project: example_ekmconnection.project,
location: example_ekmconnection.location,
name: example_ekmconnection.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.kms.EkmConnectionIamBinding("binding",
project=example_ekmconnection["project"],
location=example_ekmconnection["location"],
name=example_ekmconnection["name"],
role="roles/viewer",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewEkmConnectionIamBinding(ctx, "binding", &kms.EkmConnectionIamBindingArgs{
Project: pulumi.Any(example_ekmconnection.Project),
Location: pulumi.Any(example_ekmconnection.Location),
Name: pulumi.Any(example_ekmconnection.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Kms.EkmConnectionIamBinding("binding", new()
{
Project = example_ekmconnection.Project,
Location = example_ekmconnection.Location,
Name = example_ekmconnection.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.EkmConnectionIamBinding;
import com.pulumi.gcp.kms.EkmConnectionIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new EkmConnectionIamBinding("binding", EkmConnectionIamBindingArgs.builder()
.project(example_ekmconnection.project())
.location(example_ekmconnection.location())
.name(example_ekmconnection.name())
.role("roles/viewer")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:kms:EkmConnectionIamBinding
properties:
project: ${["example-ekmconnection"].project}
location: ${["example-ekmconnection"].location}
name: ${["example-ekmconnection"].name}
role: roles/viewer
members:
- user:jane@example.com
The EkmConnectionIamBinding resource grants a role to a list of members. The role property specifies the IAM role (e.g., “roles/viewer”), and members lists the identities receiving access. This resource is authoritative for the specified role but preserves other roles on the connection. The project, location, and name properties identify the target EKM connection.
Add time-based conditions to role bindings
Organizations with compliance requirements often need temporary access that expires automatically, reducing stale permission risk.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.kms.EkmConnectionIamBinding("binding", {
project: example_ekmconnection.project,
location: example_ekmconnection.location,
name: example_ekmconnection.name,
role: "roles/viewer",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.kms.EkmConnectionIamBinding("binding",
project=example_ekmconnection["project"],
location=example_ekmconnection["location"],
name=example_ekmconnection["name"],
role="roles/viewer",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewEkmConnectionIamBinding(ctx, "binding", &kms.EkmConnectionIamBindingArgs{
Project: pulumi.Any(example_ekmconnection.Project),
Location: pulumi.Any(example_ekmconnection.Location),
Name: pulumi.Any(example_ekmconnection.Name),
Role: pulumi.String("roles/viewer"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &kms.EkmConnectionIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Kms.EkmConnectionIamBinding("binding", new()
{
Project = example_ekmconnection.Project,
Location = example_ekmconnection.Location,
Name = example_ekmconnection.Name,
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Kms.Inputs.EkmConnectionIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.EkmConnectionIamBinding;
import com.pulumi.gcp.kms.EkmConnectionIamBindingArgs;
import com.pulumi.gcp.kms.inputs.EkmConnectionIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new EkmConnectionIamBinding("binding", EkmConnectionIamBindingArgs.builder()
.project(example_ekmconnection.project())
.location(example_ekmconnection.location())
.name(example_ekmconnection.name())
.role("roles/viewer")
.members("user:jane@example.com")
.condition(EkmConnectionIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:kms:EkmConnectionIamBinding
properties:
project: ${["example-ekmconnection"].project}
location: ${["example-ekmconnection"].location}
name: ${["example-ekmconnection"].name}
role: roles/viewer
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions add temporal or attribute-based constraints to role grants. The condition block requires a title, optional description, and expression using Common Expression Language (CEL). Here, the expression checks request.time against a timestamp, automatically revoking access after 2019-12-31. Conditions work with both IamBinding and IamMember resources.
Add individual members with IamMember
When multiple teams manage access independently, non-authoritative member grants prevent conflicts by allowing incremental additions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.kms.EkmConnectionIamMember("member", {
project: example_ekmconnection.project,
location: example_ekmconnection.location,
name: example_ekmconnection.name,
role: "roles/viewer",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.kms.EkmConnectionIamMember("member",
project=example_ekmconnection["project"],
location=example_ekmconnection["location"],
name=example_ekmconnection["name"],
role="roles/viewer",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := kms.NewEkmConnectionIamMember(ctx, "member", &kms.EkmConnectionIamMemberArgs{
Project: pulumi.Any(example_ekmconnection.Project),
Location: pulumi.Any(example_ekmconnection.Location),
Name: pulumi.Any(example_ekmconnection.Name),
Role: pulumi.String("roles/viewer"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Kms.EkmConnectionIamMember("member", new()
{
Project = example_ekmconnection.Project,
Location = example_ekmconnection.Location,
Name = example_ekmconnection.Name,
Role = "roles/viewer",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.kms.EkmConnectionIamMember;
import com.pulumi.gcp.kms.EkmConnectionIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new EkmConnectionIamMember("member", EkmConnectionIamMemberArgs.builder()
.project(example_ekmconnection.project())
.location(example_ekmconnection.location())
.name(example_ekmconnection.name())
.role("roles/viewer")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:kms:EkmConnectionIamMember
properties:
project: ${["example-ekmconnection"].project}
location: ${["example-ekmconnection"].location}
name: ${["example-ekmconnection"].name}
role: roles/viewer
member: user:jane@example.com
The EkmConnectionIamMember resource adds a single member to a role without affecting other members. Unlike IamBinding, this resource is non-authoritative: multiple IamMember resources can grant the same role to different members without conflict. Use member (singular) instead of members (plural) to specify the identity.
Replace the entire IAM policy with IamPolicy
Centralized security teams sometimes need complete control over all access grants, replacing existing permissions with a known-good state.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/viewer",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.kms.EkmConnectionIamPolicy("policy", {
project: example_ekmconnection.project,
location: example_ekmconnection.location,
name: example_ekmconnection.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/viewer",
"members": ["user:jane@example.com"],
}])
policy = gcp.kms.EkmConnectionIamPolicy("policy",
project=example_ekmconnection["project"],
location=example_ekmconnection["location"],
name=example_ekmconnection["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/kms"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/viewer",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = kms.NewEkmConnectionIamPolicy(ctx, "policy", &kms.EkmConnectionIamPolicyArgs{
Project: pulumi.Any(example_ekmconnection.Project),
Location: pulumi.Any(example_ekmconnection.Location),
Name: pulumi.Any(example_ekmconnection.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/viewer",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Kms.EkmConnectionIamPolicy("policy", new()
{
Project = example_ekmconnection.Project,
Location = example_ekmconnection.Location,
Name = example_ekmconnection.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.kms.EkmConnectionIamPolicy;
import com.pulumi.gcp.kms.EkmConnectionIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/viewer")
.members("user:jane@example.com")
.build())
.build());
var policy = new EkmConnectionIamPolicy("policy", EkmConnectionIamPolicyArgs.builder()
.project(example_ekmconnection.project())
.location(example_ekmconnection.location())
.name(example_ekmconnection.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:kms:EkmConnectionIamPolicy
properties:
project: ${["example-ekmconnection"].project}
location: ${["example-ekmconnection"].location}
name: ${["example-ekmconnection"].name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/viewer
members:
- user:jane@example.com
The EkmConnectionIamPolicy resource sets the complete IAM policy using policyData from the gcp.organizations.getIAMPolicy data source. The data source defines bindings (role-to-members mappings) that become the authoritative policy. This resource replaces any existing policy, so it cannot coexist with IamBinding or IamMember resources on the same connection.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative access control, time-based IAM Conditions, and policy data sources and bindings. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as EKM connections (referenced as example_ekmconnection) and GCP project and location configuration. They focus on configuring IAM policies rather than provisioning the underlying key management infrastructure.
To keep things focused, common IAM patterns are omitted, including:
- Custom role definitions and references
- Service account member grants
- Audit logging configuration
- Policy import and migration
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the EkmConnectionIamPolicy resource reference for all available configuration options.
Let's manage GCP Cloud KMS EKM Connection IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Three resources manage IAM policies with different scopes:
gcp.kms.EkmConnectionIamPolicy: Authoritative, replaces the entire IAM policygcp.kms.EkmConnectionIamBinding: Authoritative for a specific role, preserves other rolesgcp.kms.EkmConnectionIamMember: Non-authoritative, adds a single member to a role while preserving other members
gcp.kms.EkmConnectionIamPolicy cannot be used with gcp.kms.EkmConnectionIamBinding or gcp.kms.EkmConnectionIamMember because they will conflict over policy management. Choose one approach: use Policy for full control, or use Binding/Member for granular management.IAM Conditions & Advanced Features
condition property with title, description, and expression fields. For example, set expression to request.time < timestamp("2020-01-01T00:00:00Z") to expire access at a specific time. Note that IAM Conditions have some known limitations.gcp.organizations.getIAMPolicy data source to generate policy data, then pass it to the policyData property.Configuration & Properties
location, name, and project properties are all immutable and cannot be changed after the resource is created.