The gcp:organizations/iAMMember:IAMMember resource, part of the Pulumi GCP provider, grants a single identity access to an organization-level role without affecting other members who already have that role. This guide focuses on two capabilities: adding individual members to roles and applying time-limited access with IAM Conditions.
IAMMember is non-authoritative: it adds one member to a role without replacing existing grants. It references an organization by numeric ID and requires that user accounts, service accounts, or groups exist before granting access. The examples are intentionally small. Combine them with your own identity management and role definitions.
Grant a role to a single member
Most IAM configurations start by granting a specific role to one identity without affecting others who already have the role.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const organization = new gcp.organizations.IAMMember("organization", {
orgId: "1234567890",
role: "roles/editor",
member: "user:jane@example.com",
});
import pulumi
import pulumi_gcp as gcp
organization = gcp.organizations.IAMMember("organization",
org_id="1234567890",
role="roles/editor",
member="user:jane@example.com")
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.NewIAMMember(ctx, "organization", &organizations.IAMMemberArgs{
OrgId: pulumi.String("1234567890"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var organization = new Gcp.Organizations.IAMMember("organization", new()
{
OrgId = "1234567890",
Role = "roles/editor",
Member = "user:jane@example.com",
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMMember;
import com.pulumi.gcp.organizations.IAMMemberArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var organization = new IAMMember("organization", IAMMemberArgs.builder()
.orgId("1234567890")
.role("roles/editor")
.member("user:jane@example.com")
.build());
}
}
resources:
organization:
type: gcp:organizations:IAMMember
properties:
orgId: '1234567890'
role: roles/editor
member: user:jane@example.com
The member property specifies the identity using a prefix format: user: for Google accounts, serviceAccount: for service accounts, group: for Google Groups, or domain: for G Suite domains. The role property accepts predefined roles like roles/editor or custom roles in the format organizations/{{org_id}}/roles/{{role_id}}. This grant adds the member without removing others.
Grant time-limited access with IAM Conditions
Temporary access grants expire automatically when IAM Conditions evaluate to false, eliminating manual cleanup.
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
const organization = new gcp.organizations.IAMMember("organization", {
orgId: "1234567890",
role: "roles/editor",
member: "user:jane@example.com",
condition: {
title: "expires_after_2019_12_31",
description: "Expiring at midnight of 2019-12-31",
expression: "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
import pulumi
import pulumi_gcp as gcp
organization = gcp.organizations.IAMMember("organization",
org_id="1234567890",
role="roles/editor",
member="user:jane@example.com",
condition={
"title": "expires_after_2019_12_31",
"description": "Expiring at midnight of 2019-12-31",
"expression": "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
})
package main
import (
"github.com/pulumi/pulumi-gcp/sdk/v9/go/gcp/organizations"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := organizations.NewIAMMember(ctx, "organization", &organizations.IAMMemberArgs{
OrgId: pulumi.String("1234567890"),
Role: pulumi.String("roles/editor"),
Member: pulumi.String("user:jane@example.com"),
Condition: &organizations.IAMMemberConditionArgs{
Title: pulumi.String("expires_after_2019_12_31"),
Description: pulumi.String("Expiring at midnight of 2019-12-31"),
Expression: pulumi.String("request.time < timestamp(\"2020-01-01T00:00:00Z\")"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Gcp = Pulumi.Gcp;
return await Deployment.RunAsync(() =>
{
var organization = new Gcp.Organizations.IAMMember("organization", new()
{
OrgId = "1234567890",
Role = "roles/editor",
Member = "user:jane@example.com",
Condition = new Gcp.Organizations.Inputs.IAMMemberConditionArgs
{
Title = "expires_after_2019_12_31",
Description = "Expiring at midnight of 2019-12-31",
Expression = "request.time < timestamp(\"2020-01-01T00:00:00Z\")",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.gcp.organizations.IAMMember;
import com.pulumi.gcp.organizations.IAMMemberArgs;
import com.pulumi.gcp.organizations.inputs.IAMMemberConditionArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var organization = new IAMMember("organization", IAMMemberArgs.builder()
.orgId("1234567890")
.role("roles/editor")
.member("user:jane@example.com")
.condition(IAMMemberConditionArgs.builder()
.title("expires_after_2019_12_31")
.description("Expiring at midnight of 2019-12-31")
.expression("request.time < timestamp(\"2020-01-01T00:00:00Z\")")
.build())
.build());
}
}
resources:
organization:
type: gcp:organizations:IAMMember
properties:
orgId: '1234567890'
role: roles/editor
member: user:jane@example.com
condition:
title: expires_after_2019_12_31
description: Expiring at midnight of 2019-12-31
expression: request.time < timestamp("2020-01-01T00:00:00Z")
The condition block uses Common Expression Language (CEL) to define when access is valid. The expression field evaluates at request time; here, access expires at midnight on 2020-01-01. The title and description fields document the condition’s purpose. Conditions work with any member type and any role.
Beyond these examples
These snippets focus on specific IAMMember features: single-member role grants and time-based access with IAM Conditions. They’re intentionally minimal rather than full access control systems.
The examples reference pre-existing infrastructure such as GCP organizations with numeric IDs, and user accounts, service accounts, or groups to grant access to. They focus on granting access to individual members rather than managing complete policies.
To keep things focused, common IAM patterns are omitted, including:
- Multi-member grants (use IAMBinding for authoritative role management)
- Full policy replacement (use IAMPolicy for complete control)
- Audit logging configuration (use IamAuditConfig)
- Custom role definitions (roles must exist before granting)
These omissions are intentional: the goal is to illustrate how IAMMember grants are wired, not provide drop-in access control modules. See the Organizations IAMMember resource reference for all available configuration options.
Let's manage GCP Organization IAM Members
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Resource Selection & Compatibility
You have four options:
- IAMPolicy - Authoritative, replaces entire policy (use with caution)
- IAMBinding - Authoritative per role, preserves other roles
- IAMMember - Non-authoritative, adds single member to a role
- IamAuditConfig - Authoritative per service, enables audit logging
gcp.organizations.IAMPolicy cannot be used with gcp.organizations.IAMBinding, gcp.organizations.IAMMember, or gcp.organizations.IamAuditConfig because they will conflict over policy state.Access Control & Security
Two critical precautions:
- Avoid IAMPolicy on new organizations - It overwrites default policies and can remove your access. Recovery requires Google Support and can take multiple days. Use
gcp.organizations.IAMBindinginstead. - Include yourself in roles/owner - When setting
roletoroles/owner, always include a user or service account you have access to inmembers.
The member property accepts four formats:
user:{emailid}- Specific Google account (e.g., alice@gmail.com)serviceAccount:{emailid}- Service account (e.g., my-app@appspot.gserviceaccount.com)group:{emailid}- Google group (e.g., admins@example.com)domain:{domain}- G Suite domain for all users (e.g., example.com)
Configuration & Customization
condition property with title, description, and expression. For example, to expire access at midnight on 2019-12-31, set expression to request.time < timestamp("2020-01-01T00:00:00Z").organizations/{{org_id}}/roles/{{role_id}}.member, orgId, role, and condition. Changing any of these requires recreating the resource.