The gcp:logging/logViewIamPolicy:LogViewIamPolicy resource, part of the Pulumi GCP provider, manages IAM permissions for Cloud Logging log views, controlling who can read or modify log data. This guide focuses on three capabilities: authoritative policy replacement, time-bound access with IAM Conditions, and incremental member grants.
GCP provides three IAM resource types for log views: LogViewIamPolicy (replaces entire policy), LogViewIamBinding (manages all members for one role), and LogViewIamMember (adds individual members). The examples reference existing log views. Combine them with your own log view infrastructure.
Replace the entire IAM policy for a log view
When you need complete control over who can access a log view, you can set the entire IAM policy at once.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/logging.admin",
members: ["user:jane@example.com"],
}],
});
const policy = new gcp.logging.LogViewIamPolicy("policy", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/logging.admin",
"members": ["user:jane@example.com"],
}])
policy = gcp.logging.LogViewIamPolicy("policy",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/logging.admin",
Members: []string{
"user:jane@example.com",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = logging.NewLogViewIamPolicy(ctx, "policy", &logging.LogViewIamPolicyArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
},
},
});
var policy = new Gcp.Logging.LogViewIamPolicy("policy", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.logging.LogViewIamPolicy;
import com.pulumi.gcp.logging.LogViewIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/logging.admin")
.members("user:jane@example.com")
.build())
.build());
var policy = new LogViewIamPolicy("policy", LogViewIamPolicyArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:logging:LogViewIamPolicy
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/logging.admin
members:
- user:jane@example.com
The LogViewIamPolicy resource replaces any existing policy. The getIAMPolicy data source constructs the policy document with bindings that map roles to members. The parent, location, bucket, and name properties identify which log view receives the policy. This approach is authoritative: it removes any permissions not listed in the policy.
Set time-bound access with IAM Conditions
Access requirements often change over time. IAM Conditions grant temporary permissions that automatically expire.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const admin = gcp.organizations.getIAMPolicy({
bindings: [{
role: "roles/logging.admin",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}],
});
const policy = new gcp.logging.LogViewIamPolicy("policy", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
policyData: admin.then(admin => admin.policyData),
});
import pulumi
import pulumi_gcp as gcp
admin = gcp.organizations.get_iam_policy(bindings=[{
"role": "roles/logging.admin",
"members": ["user:jane@example.com"],
"condition": {
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
}])
policy = gcp.logging.LogViewIamPolicy("policy",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
policy_data=admin.policy_data)
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
admin, err := organizations.LookupIAMPolicy(ctx, &organizations.LookupIAMPolicyArgs{
Bindings: []organizations.GetIAMPolicyBinding{
{
Role: "roles/logging.admin",
Members: []string{
"user:jane@example.com",
},
Condition: {
Title: "expires_after_2019_12_31",
Description: pulumi.StringRef("Expiring at midnight of 2019-12-31"),
Expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
}, nil)
if err != nil {
return err
}
_, err = logging.NewLogViewIamPolicy(ctx, "policy", &logging.LogViewIamPolicyArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
PolicyData: pulumi.String(admin.PolicyData),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var admin = Gcp.Organizations.GetIAMPolicy.Invoke(new()
{
Bindings = new[]
{
new Gcp.Organizations.Inputs.GetIAMPolicyBindingInputArgs
{
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Organizations.Inputs.GetIAMPolicyBindingConditionInputArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
},
},
});
var policy = new Gcp.Logging.LogViewIamPolicy("policy", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
PolicyData = admin.Apply(getIAMPolicyResult => getIAMPolicyResult.PolicyData),
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.OrganizationsFunctions;
import com.pulumi.gcp.organizations.inputs.GetIAMPolicyArgs;
import com.pulumi.gcp.logging.LogViewIamPolicy;
import com.pulumi.gcp.logging.LogViewIamPolicyArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var admin = OrganizationsFunctions.getIAMPolicy(GetIAMPolicyArgs.builder()
.bindings(GetIAMPolicyBindingArgs.builder()
.role("roles/logging.admin")
.members("user:jane@example.com")
.condition(GetIAMPolicyBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build())
.build());
var policy = new LogViewIamPolicy("policy", LogViewIamPolicyArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.policyData(admin.policyData())
.build());
}
}
resources:
policy:
type: gcp:logging:LogViewIamPolicy
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
policyData: ${admin.policyData}
variables:
admin:
fn::invoke:
function: gcp:organizations:getIAMPolicy
arguments:
bindings:
- role: roles/logging.admin
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block adds temporal constraints to role bindings. The expression property uses Common Expression Language (CEL) to define when access is valid. Here, the timestamp comparison grants access until midnight on December 31, 2019. The title and description document the condition’s purpose for auditing.
Grant a role to multiple members with binding
When multiple users or service accounts need the same role, a binding manages them as a group.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.logging.LogViewIamBinding("binding", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.logging.LogViewIamBinding("binding",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamBinding(ctx, "binding", &logging.LogViewIamBindingArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Logging.LogViewIamBinding("binding", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamBinding;
import com.pulumi.gcp.logging.LogViewIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new LogViewIamBinding("binding", LogViewIamBindingArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:logging:LogViewIamBinding
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
members:
- user:jane@example.com
The LogViewIamBinding resource is authoritative for one role but preserves other roles on the log view. The members array lists all identities that should have this role. Adding or removing members requires updating this list. Unlike LogViewIamPolicy, other roles remain unchanged.
Add a single member without affecting others
Adding one person shouldn’t require listing everyone who already has access.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.logging.LogViewIamMember("member", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.logging.LogViewIamMember("member",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamMember(ctx, "member", &logging.LogViewIamMemberArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Logging.LogViewIamMember("member", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamMember;
import com.pulumi.gcp.logging.LogViewIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new LogViewIamMember("member", LogViewIamMemberArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:logging:LogViewIamMember
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
member: user:jane@example.com
The LogViewIamMember resource adds one identity to one role without touching existing grants. The member property specifies a single identity (user, service account, or group). This is the safest way to grant access incrementally, as it never removes existing permissions.
Beyond these examples
These snippets focus on specific IAM management features: authoritative vs incremental IAM management, IAM Conditions for time-based access, and role and member configuration. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as log views identified by parent, location, bucket, and name. They focus on configuring IAM permissions rather than creating the log views themselves.
To keep things focused, common IAM patterns are omitted, including:
- Custom role paths (projects//roles/ or organizations//roles/)
- Service account and group member formats
- Complex IAM Condition expressions beyond time-based
- Combining binding and member resources safely
These omissions are intentional: the goal is to illustrate how each IAM resource type is wired, not provide drop-in access control modules. See the LogViewIamPolicy resource reference for all available configuration options.
Let's configure GCP Log View IAM Policies
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
Can I use LogViewIamPolicy together with LogViewIamBinding or LogViewIamMember?
No,
gcp.logging.LogViewIamPolicy cannot be used with gcp.logging.LogViewIamBinding or gcp.logging.LogViewIamMember because they will conflict over the policy configuration.Can I use LogViewIamBinding and LogViewIamMember together?
Yes, but only if they don’t grant privileges to the same role. Each role must be managed by only one resource type to avoid conflicts.
Which IAM resource should I use for managing log view permissions?
Choose based on your needs:
gcp.logging.LogViewIamPolicy- Authoritative, replaces the entire IAM policygcp.logging.LogViewIamBinding- Authoritative for a specific role, preserves other rolesgcp.logging.LogViewIamMember- Non-authoritative, adds individual members without affecting others
IAM Conditions & Custom Roles
Are there limitations when using IAM Conditions with log views?
Yes, IAM Conditions are supported but have known limitations. Review the GCP documentation on IAM Conditions limitations if you encounter issues.
How do I import a log view IAM resource with a custom role?
Use the full name of the custom role in the format
[projects/my-project|organizations/my-org]/roles/my-custom-role when importing.How do I add IAM Conditions to my log view policy?
Add a
condition block with title, description, and expression fields. For example, you can set expiration conditions using expressions like request.time < timestamp("2020-01-01T00:00:00Z").Configuration & Properties
What properties are immutable after creating a LogViewIamPolicy?
The
bucket, location, name, and parent properties are all immutable and cannot be changed after creation.How do I generate the policyData for LogViewIamPolicy?
Use the
gcp.organizations.getIAMPolicy data source to generate policyData, then pass it to the policyData property as shown in the examples.