The gcp:logging/logViewIamPolicy:LogViewIamPolicy resource, part of the Pulumi GCP provider, manages IAM access control for Cloud Logging log views. This guide focuses on four capabilities: authoritative policy replacement, role bindings for multiple members, non-authoritative member grants, and time-bound access with IAM Conditions.
These resources reference existing log views by parent, location, bucket, and name. The examples are intentionally small. Combine them with your own log view infrastructure and organizational IAM policies.
Replace the entire IAM policy for a log view
When you need complete control over access, you can set the entire IAM policy at once, replacing any existing permissions.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/logging.admin",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.logging.LogViewIamPolicy("policy", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/logging.admin",
"members": ["user:jane@example.com"],
}])
policy = gcp.logging.LogViewIamPolicy("policy",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/logging.admin",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = logging.NewLogViewIamPolicy(ctx, "policy", &logging.LogViewIamPolicyArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Logging.LogViewIamPolicy("policy", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.logging.LogViewIamPolicy;
import com.pulumi.gcp.logging.LogViewIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/logging.admin")
.members("user:jane@example.com")
.build())
.build());
var policy = new LogViewIamPolicy("policy", LogViewIamPolicyArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:logging:LogViewIamPolicy
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/logging.admin
members:
- user:jane@example.com
The LogViewIamPolicy resource is authoritative: it replaces the entire IAM policy for the log view. The policyData comes from getIAMPolicy, which defines bindings between roles and members. The parent, location, bucket, and name properties identify which log view to manage. This approach gives you full control but cannot be used alongside LogViewIamBinding or LogViewIamMember resources, as they would conflict over policy ownership.
Set time-bound access with IAM Conditions
IAM Conditions let you grant temporary access that expires automatically, useful for contractors or time-limited projects.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/logging.admin",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.logging.LogViewIamPolicy("policy", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/logging.admin",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.logging.LogViewIamPolicy("policy",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/logging.admin",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = logging.NewLogViewIamPolicy(ctx, "policy", &logging.LogViewIamPolicyArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Logging.LogViewIamPolicy("policy", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.logging.LogViewIamPolicy;
import com.pulumi.gcp.logging.LogViewIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/logging.admin")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new LogViewIamPolicy("policy", LogViewIamPolicyArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:logging:LogViewIamPolicy
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/logging.admin
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal constraints to role grants. The expression uses CEL (Common Expression Language) to compare request.time against a timestamp. When the condition evaluates to false, the binding no longer grants access. The title and description help identify the condition’s purpose in audit logs.
Grant a role to multiple members
When multiple users or service accounts need the same access level, you can bind them all to a single role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.logging.LogViewIamBinding("binding", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.logging.LogViewIamBinding("binding",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamBinding(ctx, "binding", &logging.LogViewIamBindingArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Logging.LogViewIamBinding("binding", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamBinding;
import com.pulumi.gcp.logging.LogViewIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new LogViewIamBinding("binding", LogViewIamBindingArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:logging:LogViewIamBinding
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
members:
- user:jane@example.com
The LogViewIamBinding resource is authoritative for the specified role: it sets the complete member list for that role while preserving other role assignments. The members array accepts user, serviceAccount, group, and domain identities. This resource can coexist with LogViewIamMember resources as long as they don’t manage the same role.
Add a single member to a role incrementally
When you need to grant access to one additional user without disturbing existing permissions, non-authoritative member grants let you add incrementally.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.logging.LogViewIamMember("member", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.logging.LogViewIamMember("member",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamMember(ctx, "member", &logging.LogViewIamMemberArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Logging.LogViewIamMember("member", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamMember;
import com.pulumi.gcp.logging.LogViewIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new LogViewIamMember("member", LogViewIamMemberArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:logging:LogViewIamMember
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
member: user:jane@example.com
The LogViewIamMember resource is non-authoritative: it adds one member to a role without replacing existing members. The member property takes a single identity (user, serviceAccount, group, or domain). Multiple LogViewIamMember resources can safely manage the same role, each adding one member.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs non-authoritative IAM management, time-based access with IAM Conditions, and role and member binding patterns. They’re intentionally minimal rather than complete access control configurations.
The examples reference pre-existing infrastructure such as log views identified by parent, location, bucket, and name. They focus on IAM policy configuration rather than provisioning the log views themselves.
To keep things focused, common IAM patterns are omitted, including:
- Custom role definitions (projects//roles/ or organizations//roles/)
- Service account and group member types
- Multiple conditions per binding
- IAM Condition limitations and known issues
These omissions are intentional: the goal is to illustrate how each IAM management approach is wired, not provide drop-in access control modules. See the LogViewIamPolicy resource reference for all available configuration options.
Let's configure GCP Log View IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
What's the difference between LogViewIamPolicy, LogViewIamBinding, and LogViewIamMember?
These three resources manage IAM policies with different levels of control:
LogViewIamPolicyis authoritative and replaces the entire IAM policyLogViewIamBindingis authoritative for a specific role, preserving other roles in the policyLogViewIamMemberis non-authoritative, adding individual members without affecting other members or roles
Can I use LogViewIamPolicy with LogViewIamBinding or LogViewIamMember?
No,
LogViewIamPolicy cannot be used with LogViewIamBinding or LogViewIamMember because they will conflict over the policy state.Can I use LogViewIamBinding with LogViewIamMember together?
Yes, but only if they don’t grant privileges to the same role. Using both for the same role will cause conflicts.
IAM Conditions & Advanced Features
Does this resource support IAM Conditions?
Yes, all three IAM resources support IAM Conditions (like time-based expiration), but there are known limitations you should review in GCP’s documentation.
How do I generate the policyData for LogViewIamPolicy?
Use the
gcp.organizations.getIAMPolicy data source with your desired bindings configuration, then pass its policyData output to the resource.Import & Configuration
How do I import a resource that uses a custom IAM role?
Use the full custom role name in the format
[projects/my-project|organizations/my-org]/roles/my-custom-role rather than just the role name.What properties can't be changed after creating the resource?
The
bucket, location, name, and parent properties are all immutable. Only policyData can be updated after creation.