Manage IAM Permissions for GCP AI Notebooks

The gcp:notebooks/runtimeIamBinding:RuntimeIamBinding resource, part of the Pulumi GCP provider, manages IAM role bindings for Cloud AI Notebooks Runtime instances. The parent resource (gcp.notebooks.Runtime) is deprecated; for new projects, use gcp.workbench.Instance instead. This guide focuses on two capabilities: granting roles to multiple members and adding individual members to roles.

IAM bindings reference existing runtime instances and control which users and service accounts can access them. The examples are intentionally small. Combine them with your own runtime instances and organizational access policies.

Grant a role to multiple members

When managing notebook access for teams, you often need to grant the same role to multiple users or service accounts simultaneously.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const binding = new gcp.notebooks.RuntimeIamBinding("binding", {
    project: runtime.project,
    location: runtime.location,
    runtimeName: runtime.name,
    role: "roles/viewer",
    members: ["user:jane@example.com"],
});

import pulumi
import pulumi_gcp as gcp

binding = gcp.notebooks.RuntimeIamBinding("binding",
    project=runtime["project"],
    location=runtime["location"],
    runtime_name=runtime["name"],
    role="roles/viewer",
    members=["user:jane@example.com"])

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/notebooks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := notebooks.NewRuntimeIamBinding(ctx, "binding", &notebooks.RuntimeIamBindingArgs{
			Project:     pulumi.Any(runtime.Project),
			Location:    pulumi.Any(runtime.Location),
			RuntimeName: pulumi.Any(runtime.Name),
			Role:        pulumi.String("roles/viewer"),
			Members: pulumi.StringArray{
				pulumi.String("user:jane@example.com"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var binding = new Gcp.Notebooks.RuntimeIamBinding("binding", new()
    {
        Project = runtime.Project,
        Location = runtime.Location,
        RuntimeName = runtime.Name,
        Role = "roles/viewer",
        Members = new[]
        {
            "user:jane@example.com",
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.notebooks.RuntimeIamBinding;
import com.pulumi.gcp.notebooks.RuntimeIamBindingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var binding = new RuntimeIamBinding("binding", RuntimeIamBindingArgs.builder()
            .project(runtime.project())
            .location(runtime.location())
            .runtimeName(runtime.name())
            .role("roles/viewer")
            .members("user:jane@example.com")
            .build());

    }
}

resources:
  binding:
    type: gcp:notebooks:RuntimeIamBinding
    properties:
      project: ${runtime.project}
      location: ${runtime.location}
      runtimeName: ${runtime.name}
      role: roles/viewer
      members:
        - user:jane@example.com

The RuntimeIamBinding resource is authoritative for the specified role, meaning it replaces all members for that role. The members array accepts user accounts, service accounts, groups, and special identifiers like allAuthenticatedUsers. The role property specifies which permission set to grant, and runtimeName identifies the target runtime instance.

Add a single member to a role

For onboarding individual users or granting access to specific service accounts, you can add members incrementally without replacing existing assignments.

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const member = new gcp.notebooks.RuntimeIamMember("member", {
    project: runtime.project,
    location: runtime.location,
    runtimeName: runtime.name,
    role: "roles/viewer",
    member: "user:jane@example.com",
});

import pulumi
import pulumi_gcp as gcp

member = gcp.notebooks.RuntimeIamMember("member",
    project=runtime["project"],
    location=runtime["location"],
    runtime_name=runtime["name"],
    role="roles/viewer",
    member="user:jane@example.com")

package main

import (
	"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/notebooks"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := notebooks.NewRuntimeIamMember(ctx, "member", &notebooks.RuntimeIamMemberArgs{
			Project:     pulumi.Any(runtime.Project),
			Location:    pulumi.Any(runtime.Location),
			RuntimeName: pulumi.Any(runtime.Name),
			Role:        pulumi.String("roles/viewer"),
			Member:      pulumi.String("user:jane@example.com"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;

return await Deployment.RunAsync(() => 
{
    var member = new Gcp.Notebooks.RuntimeIamMember("member", new()
    {
        Project = runtime.Project,
        Location = runtime.Location,
        RuntimeName = runtime.Name,
        Role = "roles/viewer",
        Member = "user:jane@example.com",
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.notebooks.RuntimeIamMember;
import com.pulumi.gcp.notebooks.RuntimeIamMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var member = new RuntimeIamMember("member", RuntimeIamMemberArgs.builder()
            .project(runtime.project())
            .location(runtime.location())
            .runtimeName(runtime.name())
            .role("roles/viewer")
            .member("user:jane@example.com")
            .build());

    }
}

resources:
  member:
    type: gcp:notebooks:RuntimeIamMember
    properties:
      project: ${runtime.project}
      location: ${runtime.location}
      runtimeName: ${runtime.name}
      role: roles/viewer
      member: user:jane@example.com

The RuntimeIamMember resource is non-authoritative, preserving other members already assigned to the role. Use member (singular) instead of members (plural) to specify a single identity. This approach works well when you need to grant access without coordinating with other team members managing the same runtime.

Beyond these examples

These snippets focus on specific IAM binding features: role-based access control and the distinction between binding and member resources. They’re intentionally minimal rather than full access management solutions.

The examples reference pre-existing infrastructure such as Cloud AI Notebooks Runtime instances and a GCP project with configured location. They focus on configuring IAM bindings rather than provisioning the runtime itself.

To keep things focused, common IAM patterns are omitted, including:

Conditional IAM bindings (condition property)
Custom role definitions
Policy-level management (RuntimeIamPolicy)
Federated identity configuration

These omissions are intentional: the goal is to illustrate how IAM bindings are wired, not provide drop-in access control modules. See the Runtime IAM Binding resource reference for all available configuration options.

Let's manage IAM Permissions for GCP AI Notebooks

Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.

Try Pulumi Cloud for FREE

Frequently Asked Questions

Deprecation & Migration

Should I still use gcp.notebooks.RuntimeIamBinding?

The parent resource gcp.notebooks.Runtime is deprecated and will be removed in a future major release. Migrate to gcp.workbench.Instance instead.

IAM Resource Conflicts

Can I use RuntimeIamPolicy with RuntimeIamBinding or RuntimeIamMember?

No, gcp.notebooks.RuntimeIamPolicy cannot be used with RuntimeIamBinding or RuntimeIamMember because they will conflict over the policy. Choose one approach: use RuntimeIamPolicy alone for full control, or use RuntimeIamBinding/RuntimeIamMember for incremental changes.

Can I use RuntimeIamBinding and RuntimeIamMember together?

Yes, but only if they don’t grant privileges to the same role. Using both for the same role will cause conflicts.

What's the difference between RuntimeIamPolicy, RuntimeIamBinding, and RuntimeIamMember?

RuntimeIamPolicy is authoritative and replaces the entire IAM policy. RuntimeIamBinding is authoritative for a specific role but preserves other roles. RuntimeIamMember is non-authoritative and adds a single member while preserving other members for that role.

Configuration & Identity Management

How do I specify a custom role?

Custom roles must use the format [projects|organizations]/{parent-name}/roles/{role-name}. For example, projects/my-project/roles/my-custom-role.

What identity formats can I use in members?

You can use several formats:

allUsers or allAuthenticatedUsers for public/authenticated access
user:{email} for specific Google accounts (e.g., user:alice@gmail.com)
serviceAccount:{email} for service accounts
group:{email} for Google groups
domain:{domain} for G Suite domains
projectOwner/Editor/Viewer:{projectid} for project-level roles
Federated identities for workload/workforce identity pools

Immutability & Constraints

What properties can't I change after creating a RuntimeIamBinding?

The role, location, project, and runtimeName properties are immutable and cannot be changed after creation.

Using a different cloud?

Explore iam guides for other cloud providers:

AWS Guides Azure Guides