The gcp:logging/logViewIamBinding:LogViewIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud Logging log views, controlling which identities can access specific log data. This guide focuses on three capabilities: role-based access with multiple members, time-based access conditions, and additive member grants.
IAM bindings reference existing log views through parent, location, bucket, and name properties. The examples are intentionally small. Combine them with your own log view infrastructure and organizational access policies.
Grant a role to multiple members with LogViewIamBinding
Teams managing log views often need to grant the same role to multiple users or service accounts at once.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.logging.LogViewIamBinding("binding", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
members: ["user:jane@example.com"],
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.logging.LogViewIamBinding("binding",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
members=["user:jane@example.com"])
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamBinding(ctx, "binding", &logging.LogViewIamBindingArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Logging.LogViewIamBinding("binding", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamBinding;
import com.pulumi.gcp.logging.LogViewIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new LogViewIamBinding("binding", LogViewIamBindingArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.members("user:jane@example.com")
.build());
}
}
resources:
binding:
type: gcp:logging:LogViewIamBinding
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
members:
- user:jane@example.com
The LogViewIamBinding resource is authoritative for a specific role: it replaces all members for that role with the list you provide. The members array accepts user accounts, service accounts, groups, and special identifiers like allAuthenticatedUsers. The parent, location, bucket, and name properties identify which log view receives the binding.
Add time-based conditions to role bindings
Access policies sometimes need expiration dates or time-based restrictions to enforce temporary access or compliance requirements.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const binding = new gcp.logging.LogViewIamBinding("binding", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
members: ["user:jane@example.com"],
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
binding = gcp.logging.LogViewIamBinding("binding",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
members=["user:jane@example.com"],
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamBinding(ctx, "binding", &logging.LogViewIamBindingArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Members: pulumi.StringArray{
pulumi.String("user:jane@example.com"),
},
Condition: &logging.LogViewIamBindingConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var binding = new Gcp.Logging.LogViewIamBinding("binding", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Members = new[]
{
"user:jane@example.com",
},
Condition = new Gcp.Logging.Inputs.LogViewIamBindingConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamBinding;
import com.pulumi.gcp.logging.LogViewIamBindingArgs;
import com.pulumi.gcp.logging.inputs.LogViewIamBindingConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var binding = new LogViewIamBinding("binding", LogViewIamBindingArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.members("user:jane@example.com")
.condition(LogViewIamBindingConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
binding:
type: gcp:logging:LogViewIamBinding
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
members:
- user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
IAM Conditions let you add temporal or attribute-based restrictions to role bindings. The condition block requires a title, expression, and optional description. The expression uses Common Expression Language (CEL) to define when the binding applies; here, it grants access until midnight on 2019-12-31. Conditions work with both LogViewIamBinding and LogViewIamMember.
Add individual members with LogViewIamMember
When you need to grant access to one user without affecting other members of the same role, LogViewIamMember provides non-authoritative access control.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const member = new gcp.logging.LogViewIamMember("member", {
parent: loggingLogView.parent,
location: loggingLogView.location,
bucket: loggingLogView.bucket,
name: loggingLogView.name,
role: "roles/logging.admin",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
member = gcp.logging.LogViewIamMember("member",
parent=logging_log_view["parent"],
location=logging_log_view["location"],
bucket=logging_log_view["bucket"],
name=logging_log_view["name"],
role="roles/logging.admin",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/logging"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := logging.NewLogViewIamMember(ctx, "member", &logging.LogViewIamMemberArgs{
Parent: pulumi.Any(loggingLogView.Parent),
Location: pulumi.Any(loggingLogView.Location),
Bucket: pulumi.Any(loggingLogView.Bucket),
Name: pulumi.Any(loggingLogView.Name),
Role: pulumi.String("roles/logging.admin"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var member = new Gcp.Logging.LogViewIamMember("member", new()
{
Parent = loggingLogView.Parent,
Location = loggingLogView.Location,
Bucket = loggingLogView.Bucket,
Name = loggingLogView.Name,
Role = "roles/logging.admin",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.logging.LogViewIamMember;
import com.pulumi.gcp.logging.LogViewIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var member = new LogViewIamMember("member", LogViewIamMemberArgs.builder()
.parent(loggingLogView.parent())
.location(loggingLogView.location())
.bucket(loggingLogView.bucket())
.name(loggingLogView.name())
.role("roles/logging.admin")
.member("user:jane@example.com")
.build());
}
}
resources:
member:
type: gcp:logging:LogViewIamMember
properties:
parent: ${loggingLogView.parent}
location: ${loggingLogView.location}
bucket: ${loggingLogView.bucket}
name: ${loggingLogView.name}
role: roles/logging.admin
member: user:jane@example.com
Unlike LogViewIamBinding, LogViewIamMember is additive: it grants a role to a single member without replacing existing members. Use this when multiple teams manage access independently, or when you need to add users without knowing the full member list. The member property accepts the same identity formats as the members array in bindings.
Beyond these examples
These snippets focus on specific IAM binding features: role bindings and member management, and IAM Conditions for time-based access. They’re intentionally minimal rather than full access control policies.
The examples reference pre-existing infrastructure such as log views (parent, location, bucket, name references). They focus on configuring IAM bindings rather than provisioning log views or buckets.
To keep things focused, common IAM patterns are omitted, including:
- LogViewIamPolicy for full policy replacement
- Custom role definitions and formatting
- Federated identity and workload identity pool configuration
- Conflict resolution between Policy, Binding, and Member resources
These omissions are intentional: the goal is to illustrate how each IAM binding feature is wired, not provide drop-in access control modules. See the LogViewIamBinding resource reference for all available configuration options.
Let's configure GCP Logging View IAM Permissions
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Conflicts
What's the difference between LogViewIamPolicy, LogViewIamBinding, and LogViewIamMember?
gcp.logging.LogViewIamPolicy is authoritative and replaces the entire IAM policy. gcp.logging.LogViewIamBinding is authoritative for a specific role, preserving other roles. gcp.logging.LogViewIamMember is non-authoritative, adding a single member to a role while preserving other members.Can I use these IAM resources together?
gcp.logging.LogViewIamPolicy cannot be used with gcp.logging.LogViewIamBinding or gcp.logging.LogViewIamMember, as they will conflict over policy state. However, gcp.logging.LogViewIamBinding and gcp.logging.LogViewIamMember can be used together only if they grant different roles.Which IAM resource should I use?
Use
gcp.logging.LogViewIamPolicy for full policy control. Use gcp.logging.LogViewIamBinding to manage all members for a specific role. Use gcp.logging.LogViewIamMember to add individual members without affecting others.Configuration & Usage
What member identity formats are supported?
Supported formats include
allUsers, allAuthenticatedUsers, user:{email}, serviceAccount:{email}, group:{email}, domain:{domain}, projectOwner:{projectid}, projectEditor:{projectid}, projectViewer:{projectid}, and federated identities like principal://iam.googleapis.com/....How do I specify a custom role?
Custom roles must use the full format
[projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role or organizations/my-org/roles/my-custom-role.What properties can't I change after creating the binding?
The
role, bucket, location, parent, name, and condition properties are all immutable and cannot be changed after creation.Advanced Features
Can I use IAM Conditions with this resource?
Yes, set the
condition property with title, description, and expression fields. However, IAM Conditions have known limitations documented in the GCP IAM Conditions overview.Can I bind multiple roles with a single LogViewIamBinding?
No, only one
gcp.logging.LogViewIamBinding can be used per role. To manage multiple roles, create separate binding resources for each role.